Merge pull request #93293 from tnias/nixos_rspamd_20200716

This commit is contained in:
Jörg Thalheim 2020-12-01 13:10:43 +00:00 committed by GitHub
commit b1ed5ffeab
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 72 additions and 34 deletions

View file

@ -371,6 +371,9 @@ in
};
services.postfix.config = mkIf cfg.postfix.enable cfg.postfix.config;
systemd.services.postfix.serviceConfig.SupplementaryGroups =
mkIf cfg.postfix.enable [ postfixCfg.group ];
# Allow users to run 'rspamc' and 'rspamadm'.
environment.systemPackages = [ pkgs.rspamd ];
@ -394,16 +397,45 @@ in
restartTriggers = [ rspamdDir ];
serviceConfig = {
ExecStart = "${pkgs.rspamd}/bin/rspamd ${optionalString cfg.debug "-d"} --user=${cfg.user} --group=${cfg.group} --pid=/run/rspamd.pid -c /etc/rspamd/rspamd.conf -f";
ExecStart = "${pkgs.rspamd}/bin/rspamd ${optionalString cfg.debug "-d"} -c /etc/rspamd/rspamd.conf -f";
Restart = "always";
RuntimeDirectory = "rspamd";
PrivateTmp = true;
};
preStart = ''
${pkgs.coreutils}/bin/mkdir -p /var/lib/rspamd
${pkgs.coreutils}/bin/chown ${cfg.user}:${cfg.group} /var/lib/rspamd
'';
User = "${cfg.user}";
Group = "${cfg.group}";
SupplementaryGroups = mkIf cfg.postfix.enable [ postfixCfg.group ];
RuntimeDirectory = "rspamd";
RuntimeDirectoryMode = "0755";
StateDirectory = "rspamd";
StateDirectoryMode = "0700";
AmbientCapabilities = [];
CapabilityBoundingSet = [];
DevicePolicy = "closed";
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
# we need to chown socket to rspamd-milter
PrivateUsers = !cfg.postfix.enable;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
UMask = "0077";
};
};
};
imports = [

View file

@ -13,10 +13,12 @@ let
machine.succeed("id rspamd >/dev/null")
'';
checkSocket = socket: user: group: mode: ''
machine.succeed("ls ${socket} >/dev/null")
machine.succeed('[[ "$(stat -c %U ${socket})" == "${user}" ]]')
machine.succeed('[[ "$(stat -c %G ${socket})" == "${group}" ]]')
machine.succeed('[[ "$(stat -c %a ${socket})" == "${mode}" ]]')
machine.succeed(
"ls ${socket} >/dev/null",
'[[ "$(stat -c %U ${socket})" == "${user}" ]]',
'[[ "$(stat -c %G ${socket})" == "${group}" ]]',
'[[ "$(stat -c %a ${socket})" == "${mode}" ]]',
)
'';
simple = name: enableIPv6: makeTest {
name = "rspamd-${name}";
@ -54,33 +56,35 @@ in
services.rspamd = {
enable = true;
workers.normal.bindSockets = [{
socket = "/run/rspamd.sock";
socket = "/run/rspamd/rspamd.sock";
mode = "0600";
owner = "root";
group = "root";
owner = "rspamd";
group = "rspamd";
}];
workers.controller.bindSockets = [{
socket = "/run/rspamd-worker.sock";
socket = "/run/rspamd/rspamd-worker.sock";
mode = "0666";
owner = "root";
group = "root";
owner = "rspamd";
group = "rspamd";
}];
};
};
testScript = ''
${initMachine}
machine.wait_for_file("/run/rspamd.sock")
${checkSocket "/run/rspamd.sock" "root" "root" "600" }
${checkSocket "/run/rspamd-worker.sock" "root" "root" "666" }
machine.wait_for_file("/run/rspamd/rspamd.sock")
${checkSocket "/run/rspamd/rspamd.sock" "rspamd" "rspamd" "600" }
${checkSocket "/run/rspamd/rspamd-worker.sock" "rspamd" "rspamd" "666" }
machine.log(machine.succeed("cat /etc/rspamd/rspamd.conf"))
machine.log(
machine.succeed("grep 'CONFDIR/worker-controller.inc' /etc/rspamd/rspamd.conf")
)
machine.log(machine.succeed("grep 'CONFDIR/worker-normal.inc' /etc/rspamd/rspamd.conf"))
machine.log(machine.succeed("rspamc -h /run/rspamd-worker.sock stat"))
machine.log(machine.succeed("rspamc -h /run/rspamd/rspamd-worker.sock stat"))
machine.log(
machine.succeed("curl --unix-socket /run/rspamd-worker.sock http://localhost/ping")
machine.succeed(
"curl --unix-socket /run/rspamd/rspamd-worker.sock http://localhost/ping"
)
)
'';
};
@ -91,16 +95,16 @@ in
services.rspamd = {
enable = true;
workers.normal.bindSockets = [{
socket = "/run/rspamd.sock";
socket = "/run/rspamd/rspamd.sock";
mode = "0600";
owner = "root";
group = "root";
owner = "rspamd";
group = "rspamd";
}];
workers.controller.bindSockets = [{
socket = "/run/rspamd-worker.sock";
socket = "/run/rspamd/rspamd-worker.sock";
mode = "0666";
owner = "root";
group = "root";
owner = "rspamd";
group = "rspamd";
}];
workers.controller2 = {
type = "controller";
@ -116,9 +120,9 @@ in
testScript = ''
${initMachine}
machine.wait_for_file("/run/rspamd.sock")
${checkSocket "/run/rspamd.sock" "root" "root" "600" }
${checkSocket "/run/rspamd-worker.sock" "root" "root" "666" }
machine.wait_for_file("/run/rspamd/rspamd.sock")
${checkSocket "/run/rspamd/rspamd.sock" "rspamd" "rspamd" "600" }
${checkSocket "/run/rspamd/rspamd-worker.sock" "rspamd" "rspamd" "666" }
machine.log(machine.succeed("cat /etc/rspamd/rspamd.conf"))
machine.log(
machine.succeed("grep 'CONFDIR/worker-controller.inc' /etc/rspamd/rspamd.conf")
@ -137,9 +141,11 @@ in
machine.wait_until_succeeds(
"journalctl -u rspamd | grep -i 'starting controller process' >&2"
)
machine.log(machine.succeed("rspamc -h /run/rspamd-worker.sock stat"))
machine.log(machine.succeed("rspamc -h /run/rspamd/rspamd-worker.sock stat"))
machine.log(
machine.succeed("curl --unix-socket /run/rspamd-worker.sock http://localhost/ping")
machine.succeed(
"curl --unix-socket /run/rspamd/rspamd-worker.sock http://localhost/ping"
)
)
machine.log(machine.succeed("curl http://localhost:11335/ping"))
'';