From aa06b2f4893b7ddbcaf8adbb6adbea8b1de5e5a2 Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Thu, 7 Aug 2025 23:41:43 +0200
Subject: [PATCH] Allow AF_UNIX sockets for dmarc reporter and allow group
 access

This is required to use redis over UNIX domain sockets.
---
 mail-server/rspamd.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/mail-server/rspamd.nix b/mail-server/rspamd.nix
index 7121a46..8b860ba 100644
--- a/mail-server/rspamd.nix
+++ b/mail-server/rspamd.nix
@@ -235,10 +235,14 @@ in
         RestrictAddressFamilies = [
           "AF_INET"
           "AF_INET6"
+          "AF_UNIX"
         ];
         RestrictNamespaces = true;
         RestrictRealtime = true;
         RestrictSUIDSGID = true;
+        SupplementaryGroups = lib.optionals cfg.redis.configureLocally [
+          config.services.redis.servers.rspamd.group
+        ];
         SystemCallArchitectures = "native";
         SystemCallFilter = [
           "@system-service"