Merge branch 'dmarc-reporter' into 'master'

Allow AF_UNIX sockets for dmarc reporter, tokenize commandline Closes #331 See merge request simple-nixos-mailserver/nixos-mailserver!437
2025-08-07 22:31:50 +00:00 · 2025-08-07 22:31:50 +00:00 · 57d9624c71
commit 57d9624c71
parent eb656cd361 fc955088e3
1 changed files with 10 additions and 4 deletions
--- a/mail-server/rspamd.nix
+++ b/mail-server/rspamd.nix
@ -169,7 +169,7 @@ in

    };

-    services.redis.servers.rspamd.enable = lib.mkDefault true;
+    services.redis.servers.rspamd.enable = lib.mkDefault cfg.redis.configureLocally;

    systemd.tmpfiles.settings."10-rspamd.conf" = {
      "${cfg.dkimKeyDirectory}" = {
@ -204,9 +204,11 @@ in
      # Explicitly select yesterday's date to work around broken
      # default behaviour when called without a date.
      # https://github.com/rspamd/rspamd/issues/4062
-      script = ''
-        ${pkgs.rspamd}/bin/rspamadm dmarc_report $(date -d "yesterday" "+%Y%m%d")
-      '';
+      script = toString [
+        (lib.getExe' pkgs.rspamd "rspamadm")
+        "dmarc_report"
+        "$(date -d 'yesterday' '+%Y%m%d')"
+      ];
      serviceConfig = {
        User = "${config.services.rspamd.user}";
        Group = "${config.services.rspamd.group}";
@ -235,10 +237,14 @@ in
        RestrictAddressFamilies = [
          "AF_INET"
          "AF_INET6"
+          "AF_UNIX"
        ];
        RestrictNamespaces = true;
        RestrictRealtime = true;
        RestrictSUIDSGID = true;
+        SupplementaryGroups = lib.optionals cfg.redis.configureLocally [
+          config.services.redis.servers.rspamd.group
+        ];
        SystemCallArchitectures = "native";
        SystemCallFilter = [
          "@system-service"