Merge pull request #21866 from pjones/pjones/rmilter

+12

nixos/doc/manual/release-notes/rl-1703.xml

··· 237 237 </para> 238 238 </listitem> 239 239 240 + <listitem> 241 + <para> 242 + The socket handling of the <literal>services.rmilter</literal> module 243 + has been fixed and refactored. As rmilter doesn't support binding to 244 + more than one socket, the options <literal>bindUnixSockets</literal> 245 + and <literal>bindInetSockets</literal> have been replaced by 246 + <literal>services.rmilter.bindSocket.*</literal>. The default is still 247 + a unix socket in <literal>/run/rmilter/rmilter.sock</literal>. Refer to 248 + the options documentation for more information. 249 + </para> 250 + </listitem> 251 + 240 252 </itemizedlist> 241 253 242 254

+3

nixos/modules/rename.nix

··· 35 35 (mkRemovedOptionModule [ "security" "setuidOwners" ] "Use security.wrappers instead") 36 36 (mkRemovedOptionModule [ "security" "setuidPrograms" ] "Use security.wrappers instead") 37 37 38 + (mkRemovedOptionModule [ "services" "rmilter" "bindInetSockets" ] "Use services.rmilter.bindSocket.* instead") 39 + (mkRemovedOptionModule [ "services" "rmilter" "bindUnixSockets" ] "Use services.rmilter.bindSocket.* instead") 40 + 38 41 # Old Grub-related options. 39 42 (mkRenamedOptionModule [ "boot" "initrd" "extraKernelModules" ] [ "boot" "initrd" "kernelModules" ]) 40 43 (mkRenamedOptionModule [ "boot" "extraKernelParams" ] [ "boot" "kernelParams" ])

+105 -82

nixos/modules/services/mail/rmilter.nix

··· 5 5 let 6 6 7 7 rspamdCfg = config.services.rspamd; 8 + postfixCfg = config.services.postfix; 8 9 cfg = config.services.rmilter; 9 10 10 - inetSockets = map (sock: let s = stringSplit ":" sock; in "inet:${last s}:${head s}") cfg.bindInetSockets; 11 - unixSockets = map (sock: "unix:${sock}") cfg.bindUnixSockets; 11 + inetSocket = addr: port: "inet:[${toString port}@${addr}]"; 12 + unixSocket = sock: "unix:${sock}"; 12 13 13 - allSockets = unixSockets ++ inetSockets; 14 + systemdSocket = if cfg.bindSocket.type == "unix" then cfg.bindSocket.path 15 + else "${cfg.bindSocket.address}:${toString cfg.bindSocket.port}"; 16 + rmilterSocket = if cfg.bindSocket.type == "unix" then unixSocket cfg.bindSocket.path 17 + else inetSocket cfg.bindSocket.address cfg.bindSocket.port; 14 18 15 19 rmilterConf = '' 16 - pidfile = /run/rmilter/rmilter.pid; 17 - bind_socket = ${if cfg.socketActivation then "fd:3" else concatStringsSep ", " allSockets}; 18 - tempdir = /tmp; 19 - 20 + pidfile = /run/rmilter/rmilter.pid; 21 + bind_socket = ${if cfg.socketActivation then "fd:3" else rmilterSocket}; 22 + tempdir = /tmp; 20 23 '' + (with cfg.rspamd; if enable then '' 21 - spamd { 22 - servers = ${concatStringsSep ", " servers}; 23 - connect_timeout = 1s; 24 - results_timeout = 20s; 25 - error_time = 10; 26 - dead_time = 300; 27 - maxerrors = 10; 28 - reject_message = "${rejectMessage}"; 29 - ${optionalString (length whitelist != 0) "whitelist = ${concatStringsSep ", " whitelist};"} 24 + spamd { 25 + servers = ${concatStringsSep ", " servers}; 26 + connect_timeout = 1s; 27 + results_timeout = 20s; 28 + error_time = 10; 29 + dead_time = 300; 30 + maxerrors = 10; 31 + reject_message = "${rejectMessage}"; 32 + ${optionalString (length whitelist != 0) "whitelist = ${concatStringsSep ", " whitelist};"} 30 33 31 - # rspamd_metric - metric for using with rspamd 32 - # Default: "default" 33 - rspamd_metric = "default"; 34 - ${extraConfig} 35 - }; 36 - '' else "") + cfg.extraConfig; 34 + # rspamd_metric - metric for using with rspamd 35 + # Default: "default" 36 + rspamd_metric = "default"; 37 + ${extraConfig} 38 + }; 39 + '' else "") + cfg.extraConfig; 37 40 38 41 rmilterConfigFile = pkgs.writeText "rmilter.conf" rmilterConf; 39 42 ··· 48 51 services.rmilter = { 49 52 50 53 enable = mkOption { 54 + type = types.bool; 51 55 default = cfg.rspamd.enable; 52 56 description = "Whether to run the rmilter daemon."; 53 57 }; 54 58 55 59 debug = mkOption { 60 + type = types.bool; 56 61 default = false; 57 62 description = "Whether to run the rmilter daemon in debug mode."; 58 63 }; ··· 73 78 ''; 74 79 }; 75 80 76 - bindUnixSockets = mkOption { 77 - type = types.listOf types.str; 78 - default = ["/run/rmilter/rmilter.sock"]; 81 + bindSocket.type = mkOption { 82 + type = types.enum [ "unix" "inet" ]; 83 + default = "unix"; 79 84 description = '' 80 - Unix domain sockets to listen for MTA requests. 85 + What kind of socket rmilter should listen on. Either "unix" 86 + for an Unix domain socket or "inet" for a TCP socket. 81 87 ''; 82 - example = '' 83 - [ "/run/rmilter.sock"] 88 + }; 89 + 90 + bindSocket.path = mkOption { 91 + type = types.str; 92 + default = "/run/rmilter/rmilter.sock"; 93 + description = '' 94 + Path to Unix domain socket to listen on. 84 95 ''; 85 96 }; 86 97 87 - bindInetSockets = mkOption { 88 - type = types.listOf types.str; 89 - default = []; 98 + bindSocket.address = mkOption { 99 + type = types.str; 100 + default = "::1"; 101 + example = "0.0.0.0"; 90 102 description = '' 91 - Inet addresses to listen (in format accepted by systemd.socket) 103 + Inet address to listen on. 92 104 ''; 93 - example = '' 94 - ["127.0.0.1:11990"] 105 + }; 106 + 107 + bindSocket.port = mkOption { 108 + type = types.int; 109 + default = 11990; 110 + description = '' 111 + Inet port to listen on. 95 112 ''; 96 113 }; 97 114 ··· 100 117 default = true; 101 118 description = '' 102 119 Enable systemd socket activation for rmilter. 103 - (disabling socket activation not recommended 104 - when unix socket used, and follow to wrong 105 - permissions on unix domain socket.) 120 + 121 + Disabling socket activation is not recommended when a Unix 122 + domain socket is used and could lead to incorrect 123 + permissions. 106 124 ''; 107 125 }; 108 126 109 127 rspamd = { 110 128 enable = mkOption { 129 + type = types.bool; 111 130 default = rspamdCfg.enable; 112 131 description = "Whether to use rspamd to filter mails"; 113 132 }; ··· 157 176 type = types.str; 158 177 description = "Addon to postfix configuration"; 159 178 default = '' 160 - smtpd_milters = ${head allSockets} 161 - # or for TCP socket 162 - # # smtpd_milters = inet:localhost:9900 163 - milter_protocol = 6 164 - milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} 165 - # skip mail without checks if milter will die 166 - milter_default_action = accept 179 + smtpd_milters = ${rmilterSocket} 180 + milter_protocol = 6 181 + milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} 167 182 ''; 168 183 }; 169 184 }; ··· 175 190 176 191 ###### implementation 177 192 178 - config = mkIf cfg.enable { 193 + config = mkMerge [ 179 194 180 - users.extraUsers = singleton { 181 - name = cfg.user; 182 - description = "rspamd daemon"; 183 - uid = config.ids.uids.rmilter; 184 - group = cfg.group; 185 - }; 195 + (mkIf cfg.enable { 196 + 197 + users.extraUsers = singleton { 198 + name = cfg.user; 199 + description = "rmilter daemon"; 200 + uid = config.ids.uids.rmilter; 201 + group = cfg.group; 202 + }; 203 + 204 + users.extraGroups = singleton { 205 + name = cfg.group; 206 + gid = config.ids.gids.rmilter; 207 + }; 186 208 187 - users.extraGroups = singleton { 188 - name = cfg.group; 189 - gid = config.ids.gids.rmilter; 190 - }; 209 + systemd.services.rmilter = { 210 + description = "Rmilter Service"; 191 211 192 - systemd.services.rmilter = { 193 - description = "Rmilter Service"; 212 + wantedBy = [ "multi-user.target" ]; 213 + after = [ "network.target" ]; 194 214 195 - wantedBy = [ "multi-user.target" ]; 196 - after = [ "network.target" ]; 215 + serviceConfig = { 216 + ExecStart = "${pkgs.rmilter}/bin/rmilter ${optionalString cfg.debug "-d"} -n -c ${rmilterConfigFile}"; 217 + ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID"; 218 + User = cfg.user; 219 + Group = cfg.group; 220 + PermissionsStartOnly = true; 221 + Restart = "always"; 222 + RuntimeDirectory = "rmilter"; 223 + RuntimeDirectoryMode = "0750"; 224 + }; 197 225 198 - serviceConfig = { 199 - ExecStart = "${pkgs.rmilter}/bin/rmilter ${optionalString cfg.debug "-d"} -n -c ${rmilterConfigFile}"; 200 - ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID"; 201 - User = cfg.user; 202 - Group = cfg.group; 203 - PermissionsStartOnly = true; 204 - Restart = "always"; 205 - RuntimeDirectory = "rmilter"; 206 - RuntimeDirectoryMode = "0755"; 207 226 }; 208 227 209 - }; 210 - 211 - systemd.sockets.rmilter = mkIf cfg.socketActivation { 212 - description = "Rmilter service socket"; 213 - wantedBy = [ "sockets.target" ]; 214 - socketConfig = { 215 - ListenStream = cfg.bindUnixSockets ++ cfg.bindInetSockets; 216 - SocketUser = cfg.user; 217 - SocketGroup = cfg.group; 218 - SocketMode = "0666"; 228 + systemd.sockets.rmilter = mkIf cfg.socketActivation { 229 + description = "Rmilter service socket"; 230 + wantedBy = [ "sockets.target" ]; 231 + socketConfig = { 232 + ListenStream = systemdSocket; 233 + SocketUser = cfg.user; 234 + SocketGroup = cfg.group; 235 + SocketMode = "0660"; 236 + }; 219 237 }; 220 - }; 238 + }) 221 239 222 - services.postfix.extraConfig = optionalString cfg.postfix.enable cfg.postfix.configFragment; 223 - users.users.postfix.extraGroups = [ cfg.group ]; 224 - }; 240 + (mkIf (cfg.enable && cfg.rspamd.enable && rspamdCfg.enable) { 241 + users.extraUsers.${cfg.user}.extraGroups = [ rspamdCfg.group ]; 242 + }) 225 243 244 + (mkIf (cfg.enable && cfg.postfix.enable) { 245 + services.postfix.extraConfig = cfg.postfix.configFragment; 246 + users.extraUsers.${postfixCfg.user}.extraGroups = [ cfg.group ]; 247 + }) 248 + ]; 226 249 }

+4 -1

nixos/modules/services/mail/rspamd.nix

··· 53 53 bindSocket = mkOption { 54 54 type = types.listOf types.str; 55 55 default = [ 56 - "/run/rspamd/rspamd.sock mode=0666 owner=${cfg.user}" 56 + "/run/rspamd/rspamd.sock mode=0660 owner=${cfg.user} group=${cfg.group}" 57 57 ]; 58 + defaultText = ''[ 59 + "/run/rspamd/rspamd.sock mode=0660 owner=${cfg.user} group=${cfg.group}" 60 + ]''; 58 61 description = '' 59 62 List of sockets to listen, in format acceptable by rspamd 60 63 '';