Skynet/misc_nixos-mailserver
7
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'dmarc-reporter' into 'master'

Browse source 
Allow AF_UNIX sockets for dmarc reporter, tokenize commandline

Closes #331

See merge request simple-nixos-mailserver/nixos-mailserver!437
This commit is contained in:
Martin Weinelt 2025-08-07 22:31:50 +00:00
commit 57d9624c71
1 changed files with 10 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

14
mail-server/rspamd.nix
View file

@ -169,7 +169,7 @@ in
}; };
services.redis.servers.rspamd.enable = lib.mkDefault true; services.redis.servers.rspamd.enable = lib.mkDefault cfg.redis.configureLocally;
systemd.tmpfiles.settings."10-rspamd.conf" = { systemd.tmpfiles.settings."10-rspamd.conf" = {
"${cfg.dkimKeyDirectory}" = { "${cfg.dkimKeyDirectory}" = {
@ -204,9 +204,11 @@ in
# Explicitly select yesterday's date to work around broken # Explicitly select yesterday's date to work around broken
# default behaviour when called without a date. # default behaviour when called without a date.
# https://github.com/rspamd/rspamd/issues/4062 # https://github.com/rspamd/rspamd/issues/4062
script = '' script = toString [
${pkgs.rspamd}/bin/rspamadm dmarc_report $(date -d "yesterday" "+%Y%m%d") (lib.getExe' pkgs.rspamd "rspamadm")
''; "dmarc_report"
"$(date -d 'yesterday' '+%Y%m%d')"
];
serviceConfig = { serviceConfig = {
User = "${config.services.rspamd.user}"; User = "${config.services.rspamd.user}";
Group = "${config.services.rspamd.group}"; Group = "${config.services.rspamd.group}";
@ -235,10 +237,14 @@ in
RestrictAddressFamilies = [ RestrictAddressFamilies = [
"AF_INET" "AF_INET"
"AF_INET6" "AF_INET6"
"AF_UNIX"
]; ];
RestrictNamespaces = true; RestrictNamespaces = true;
RestrictRealtime = true; RestrictRealtime = true;
RestrictSUIDSGID = true; RestrictSUIDSGID = true;
SupplementaryGroups = lib.optionals cfg.redis.configureLocally [
config.services.redis.servers.rspamd.group
];
SystemCallArchitectures = "native"; SystemCallArchitectures = "native";
SystemCallFilter = [ SystemCallFilter = [
"@system-service" "@system-service"