nixos/rspamd: fix postfix integration

This commit is contained in:
Jörg Thalheim 2020-11-29 12:51:53 +01:00
parent 9cca2eb4c8
commit 3b6ef967f3
No known key found for this signature in database
GPG Key ID: 003F2096411B5F92
2 changed files with 38 additions and 27 deletions

View File

@ -371,6 +371,9 @@ in
}; };
services.postfix.config = mkIf cfg.postfix.enable cfg.postfix.config; services.postfix.config = mkIf cfg.postfix.enable cfg.postfix.config;
systemd.services.postfix.serviceConfig.SupplementaryGroups =
mkIf cfg.postfix.enable [ postfixCfg.group ];
# Allow users to run 'rspamc' and 'rspamadm'. # Allow users to run 'rspamc' and 'rspamadm'.
environment.systemPackages = [ pkgs.rspamd ]; environment.systemPackages = [ pkgs.rspamd ];
@ -399,6 +402,7 @@ in
User = "${cfg.user}"; User = "${cfg.user}";
Group = "${cfg.group}"; Group = "${cfg.group}";
SupplementaryGroups = mkIf cfg.postfix.enable [ postfixCfg.group ];
RuntimeDirectory = "rspamd"; RuntimeDirectory = "rspamd";
RuntimeDirectoryMode = "0755"; RuntimeDirectoryMode = "0755";
@ -413,7 +417,8 @@ in
PrivateDevices = true; PrivateDevices = true;
PrivateMounts = true; PrivateMounts = true;
PrivateTmp = true; PrivateTmp = true;
PrivateUsers = true; # we need to chown socket to rspamd-milter
PrivateUsers = !cfg.postfix.enable;
ProtectClock = true; ProtectClock = true;
ProtectControlGroups = true; ProtectControlGroups = true;
ProtectHome = true; ProtectHome = true;

View File

@ -13,10 +13,12 @@ let
machine.succeed("id rspamd >/dev/null") machine.succeed("id rspamd >/dev/null")
''; '';
checkSocket = socket: user: group: mode: '' checkSocket = socket: user: group: mode: ''
machine.succeed("ls ${socket} >/dev/null") machine.succeed(
machine.succeed('[[ "$(stat -c %U ${socket})" == "${user}" ]]') "ls ${socket} >/dev/null",
machine.succeed('[[ "$(stat -c %G ${socket})" == "${group}" ]]') '[[ "$(stat -c %U ${socket})" == "${user}" ]]',
machine.succeed('[[ "$(stat -c %a ${socket})" == "${mode}" ]]') '[[ "$(stat -c %G ${socket})" == "${group}" ]]',
'[[ "$(stat -c %a ${socket})" == "${mode}" ]]',
)
''; '';
simple = name: enableIPv6: makeTest { simple = name: enableIPv6: makeTest {
name = "rspamd-${name}"; name = "rspamd-${name}";
@ -54,33 +56,35 @@ in
services.rspamd = { services.rspamd = {
enable = true; enable = true;
workers.normal.bindSockets = [{ workers.normal.bindSockets = [{
socket = "/run/rspamd.sock"; socket = "/run/rspamd/rspamd.sock";
mode = "0600"; mode = "0600";
owner = "root"; owner = "rspamd";
group = "root"; group = "rspamd";
}]; }];
workers.controller.bindSockets = [{ workers.controller.bindSockets = [{
socket = "/run/rspamd-worker.sock"; socket = "/run/rspamd/rspamd-worker.sock";
mode = "0666"; mode = "0666";
owner = "root"; owner = "rspamd";
group = "root"; group = "rspamd";
}]; }];
}; };
}; };
testScript = '' testScript = ''
${initMachine} ${initMachine}
machine.wait_for_file("/run/rspamd.sock") machine.wait_for_file("/run/rspamd/rspamd.sock")
${checkSocket "/run/rspamd.sock" "root" "root" "600" } ${checkSocket "/run/rspamd/rspamd.sock" "rspamd" "rspamd" "600" }
${checkSocket "/run/rspamd-worker.sock" "root" "root" "666" } ${checkSocket "/run/rspamd/rspamd-worker.sock" "rspamd" "rspamd" "666" }
machine.log(machine.succeed("cat /etc/rspamd/rspamd.conf")) machine.log(machine.succeed("cat /etc/rspamd/rspamd.conf"))
machine.log( machine.log(
machine.succeed("grep 'CONFDIR/worker-controller.inc' /etc/rspamd/rspamd.conf") machine.succeed("grep 'CONFDIR/worker-controller.inc' /etc/rspamd/rspamd.conf")
) )
machine.log(machine.succeed("grep 'CONFDIR/worker-normal.inc' /etc/rspamd/rspamd.conf")) machine.log(machine.succeed("grep 'CONFDIR/worker-normal.inc' /etc/rspamd/rspamd.conf"))
machine.log(machine.succeed("rspamc -h /run/rspamd-worker.sock stat")) machine.log(machine.succeed("rspamc -h /run/rspamd/rspamd-worker.sock stat"))
machine.log( machine.log(
machine.succeed("curl --unix-socket /run/rspamd-worker.sock http://localhost/ping") machine.succeed(
"curl --unix-socket /run/rspamd/rspamd-worker.sock http://localhost/ping"
)
) )
''; '';
}; };
@ -91,16 +95,16 @@ in
services.rspamd = { services.rspamd = {
enable = true; enable = true;
workers.normal.bindSockets = [{ workers.normal.bindSockets = [{
socket = "/run/rspamd.sock"; socket = "/run/rspamd/rspamd.sock";
mode = "0600"; mode = "0600";
owner = "root"; owner = "rspamd";
group = "root"; group = "rspamd";
}]; }];
workers.controller.bindSockets = [{ workers.controller.bindSockets = [{
socket = "/run/rspamd-worker.sock"; socket = "/run/rspamd/rspamd-worker.sock";
mode = "0666"; mode = "0666";
owner = "root"; owner = "rspamd";
group = "root"; group = "rspamd";
}]; }];
workers.controller2 = { workers.controller2 = {
type = "controller"; type = "controller";
@ -116,9 +120,9 @@ in
testScript = '' testScript = ''
${initMachine} ${initMachine}
machine.wait_for_file("/run/rspamd.sock") machine.wait_for_file("/run/rspamd/rspamd.sock")
${checkSocket "/run/rspamd.sock" "root" "root" "600" } ${checkSocket "/run/rspamd/rspamd.sock" "rspamd" "rspamd" "600" }
${checkSocket "/run/rspamd-worker.sock" "root" "root" "666" } ${checkSocket "/run/rspamd/rspamd-worker.sock" "rspamd" "rspamd" "666" }
machine.log(machine.succeed("cat /etc/rspamd/rspamd.conf")) machine.log(machine.succeed("cat /etc/rspamd/rspamd.conf"))
machine.log( machine.log(
machine.succeed("grep 'CONFDIR/worker-controller.inc' /etc/rspamd/rspamd.conf") machine.succeed("grep 'CONFDIR/worker-controller.inc' /etc/rspamd/rspamd.conf")
@ -137,9 +141,11 @@ in
machine.wait_until_succeeds( machine.wait_until_succeeds(
"journalctl -u rspamd | grep -i 'starting controller process' >&2" "journalctl -u rspamd | grep -i 'starting controller process' >&2"
) )
machine.log(machine.succeed("rspamc -h /run/rspamd-worker.sock stat")) machine.log(machine.succeed("rspamc -h /run/rspamd/rspamd-worker.sock stat"))
machine.log( machine.log(
machine.succeed("curl --unix-socket /run/rspamd-worker.sock http://localhost/ping") machine.succeed(
"curl --unix-socket /run/rspamd/rspamd-worker.sock http://localhost/ping"
)
) )
machine.log(machine.succeed("curl http://localhost:11335/ping")) machine.log(machine.succeed("curl http://localhost:11335/ping"))
''; '';