From aa06b2f4893b7ddbcaf8adbb6adbea8b1de5e5a2 Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Thu, 7 Aug 2025 23:41:43 +0200
Subject: [PATCH 1/3] Allow AF_UNIX sockets for dmarc reporter and allow group
 access

This is required to use redis over UNIX domain sockets.
---
 mail-server/rspamd.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/mail-server/rspamd.nix b/mail-server/rspamd.nix
index 7121a46..8b860ba 100644
--- a/mail-server/rspamd.nix
+++ b/mail-server/rspamd.nix
@@ -235,10 +235,14 @@ in
         RestrictAddressFamilies = [
           "AF_INET"
           "AF_INET6"
+          "AF_UNIX"
         ];
         RestrictNamespaces = true;
         RestrictRealtime = true;
         RestrictSUIDSGID = true;
+        SupplementaryGroups = lib.optionals cfg.redis.configureLocally [
+          config.services.redis.servers.rspamd.group
+        ];
         SystemCallArchitectures = "native";
         SystemCallFilter = [
           "@system-service"

From 43f87f55205ded95b1583bfa9e7a6cdf216c31c6 Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Thu, 7 Aug 2025 23:45:03 +0200
Subject: [PATCH 2/3] Tokenize dmarc reporter commandline

---
 mail-server/rspamd.nix | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/mail-server/rspamd.nix b/mail-server/rspamd.nix
index 8b860ba..758ea7e 100644
--- a/mail-server/rspamd.nix
+++ b/mail-server/rspamd.nix
@@ -204,9 +204,11 @@ in
       # Explicitly select yesterday's date to work around broken
       # default behaviour when called without a date.
       # https://github.com/rspamd/rspamd/issues/4062
-      script = ''
-        ${pkgs.rspamd}/bin/rspamadm dmarc_report $(date -d "yesterday" "+%Y%m%d")
-      '';
+      script = toString [
+        (lib.getExe' pkgs.rspamd "rspamadm")
+        "dmarc_report"
+        "$(date -d 'yesterday' '+%Y%m%d')"
+      ];
       serviceConfig = {
         User = "${config.services.rspamd.user}";
         Group = "${config.services.rspamd.group}";

From fc955088e386ede0e861bbecdd45a04ae5996540 Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Fri, 8 Aug 2025 00:01:05 +0200
Subject: [PATCH 3/3] Respect configureLocally flag for redis

---
 mail-server/rspamd.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mail-server/rspamd.nix b/mail-server/rspamd.nix
index 758ea7e..5c0f315 100644
--- a/mail-server/rspamd.nix
+++ b/mail-server/rspamd.nix
@@ -169,7 +169,7 @@ in
 
     };
 
-    services.redis.servers.rspamd.enable = lib.mkDefault true;
+    services.redis.servers.rspamd.enable = lib.mkDefault cfg.redis.configureLocally;
 
     systemd.tmpfiles.settings."10-rspamd.conf" = {
       "${cfg.dkimKeyDirectory}" = {