From 07cfa1a67e387e833fc4ee96c1484c333bd8c8fd Mon Sep 17 00:00:00 2001 From: Satoshi Shishiku Date: Sun, 13 May 2018 09:14:27 +0000 Subject: [PATCH 1/5] mkChangedOptionModule: don't set default value for 'from' Be able to test aliased options with isDefined. --- lib/modules.nix | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/lib/modules.nix b/lib/modules.nix index 6c8033322a540..848de12d30f74 100644 --- a/lib/modules.nix +++ b/lib/modules.nix @@ -647,7 +647,17 @@ rec { result of the change function */ mkChangedOptionModule = from: to: changeFn: - mkMergedOptionModule [ from ] to changeFn; + { config, options, ... }: + { options = setAttrByPath from (mkOption { + visible = false; + }); + config = + let opt = getAttrFromPath from options; in { + warnings = + optional opt.isDefined + "The option `${showOption from}' defined in ${showFiles opt.files} has been changed to `${showOption to}' that has a different type. Please read `${showOption to}' documentation and update your configuration accordingly."; + } // setAttrByPath to (mkIf opt.isDefined (changeFn config)); + }; /* Like ‘mkRenamedOptionModule’, but doesn't show a warning. */ mkAliasOptionModule = from: to: doRename { From 8a3d8c9a9b4512e4926298ea7b5879b3fdce64e6 Mon Sep 17 00:00:00 2001 From: Satoshi Shishiku Date: Sun, 13 May 2018 09:17:22 +0000 Subject: [PATCH 2/5] rmilter: drop Deprecated by rspamd_proxy. --- nixos/modules/module-list.nix | 1 - nixos/modules/rename.nix | 6 +- nixos/modules/services/mail/rmilter.nix | 249 ------------------ pkgs/servers/mail/rmilter/default.nix | 33 --- .../mail/rmilter/fd-passing-libmilter.patch | 80 ------ pkgs/top-level/all-packages.nix | 2 - 6 files changed, 3 insertions(+), 368 deletions(-) delete mode 100644 nixos/modules/services/mail/rmilter.nix delete mode 100644 pkgs/servers/mail/rmilter/default.nix delete mode 100644 pkgs/servers/mail/rmilter/fd-passing-libmilter.patch diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 6c4326046ef84..7e73009fe46dc 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -298,7 +298,6 @@ ./services/mail/postgrey.nix ./services/mail/spamassassin.nix ./services/mail/rspamd.nix - ./services/mail/rmilter.nix ./services/mail/nullmailer.nix ./services/misc/airsonic.nix ./services/misc/apache-kafka.nix diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index 56b7bf00448c9..88d75f68f992a 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -49,9 +49,6 @@ with lib; (mkRemovedOptionModule [ "security" "setuidOwners" ] "Use security.wrappers instead") (mkRemovedOptionModule [ "security" "setuidPrograms" ] "Use security.wrappers instead") - (mkRemovedOptionModule [ "services" "rmilter" "bindInetSockets" ] "Use services.rmilter.bindSocket.* instead") - (mkRemovedOptionModule [ "services" "rmilter" "bindUnixSockets" ] "Use services.rmilter.bindSocket.* instead") - # Xsession script (mkRenamedOptionModule [ "services" "xserver" "displayManager" "job" "logsXsession" ] [ "services" "xserver" "displayManager" "job" "logToFile" ]) (mkRenamedOptionModule [ "services" "xserver" "displayManager" "logToJournal" ] [ "services" "xserver" "displayManager" "job" "logToJournal" ]) @@ -250,6 +247,9 @@ with lib; (mkRenamedOptionModule [ "programs" "info" "enable" ] [ "documentation" "info" "enable" ]) (mkRenamedOptionModule [ "programs" "man" "enable" ] [ "documentation" "man" "enable" ]) + # rmilter + (mkRemovedOptionModule [ "services" "rmilter" ] "Use services.rspamd directly instead") + ] ++ (flip map [ "blackboxExporter" "collectdExporter" "fritzboxExporter" "jsonExporter" "minioExporter" "nginxExporter" "nodeExporter" "snmpExporter" "unifiExporter" "varnishExporter" ] diff --git a/nixos/modules/services/mail/rmilter.nix b/nixos/modules/services/mail/rmilter.nix deleted file mode 100644 index e17b7516bfff8..0000000000000 --- a/nixos/modules/services/mail/rmilter.nix +++ /dev/null @@ -1,249 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - - rspamdCfg = config.services.rspamd; - postfixCfg = config.services.postfix; - cfg = config.services.rmilter; - - inetSocket = addr: port: "inet:[${toString port}@${addr}]"; - unixSocket = sock: "unix:${sock}"; - - systemdSocket = if cfg.bindSocket.type == "unix" then cfg.bindSocket.path - else "${cfg.bindSocket.address}:${toString cfg.bindSocket.port}"; - rmilterSocket = if cfg.bindSocket.type == "unix" then unixSocket cfg.bindSocket.path - else inetSocket cfg.bindSocket.address cfg.bindSocket.port; - - rmilterConf = '' - pidfile = /run/rmilter/rmilter.pid; - bind_socket = ${if cfg.socketActivation then "fd:3" else rmilterSocket}; - tempdir = /tmp; - '' + (with cfg.rspamd; if enable then '' - spamd { - servers = ${concatStringsSep ", " servers}; - connect_timeout = 1s; - results_timeout = 20s; - error_time = 10; - dead_time = 300; - maxerrors = 10; - reject_message = "${rejectMessage}"; - ${optionalString (length whitelist != 0) "whitelist = ${concatStringsSep ", " whitelist};"} - - # rspamd_metric - metric for using with rspamd - # Default: "default" - rspamd_metric = "default"; - ${extraConfig} - }; - '' else "") + cfg.extraConfig; - - rmilterConfigFile = pkgs.writeText "rmilter.conf" rmilterConf; - -in - -{ - - ###### interface - - options = { - - services.rmilter = { - - enable = mkOption { - type = types.bool; - default = cfg.rspamd.enable; - description = "Whether to run the rmilter daemon."; - }; - - debug = mkOption { - type = types.bool; - default = false; - description = "Whether to run the rmilter daemon in debug mode."; - }; - - user = mkOption { - type = types.string; - default = "rmilter"; - description = '' - User to use when no root privileges are required. - ''; - }; - - group = mkOption { - type = types.string; - default = "rmilter"; - description = '' - Group to use when no root privileges are required. - ''; - }; - - bindSocket.type = mkOption { - type = types.enum [ "unix" "inet" ]; - default = "unix"; - description = '' - What kind of socket rmilter should listen on. Either "unix" - for an Unix domain socket or "inet" for a TCP socket. - ''; - }; - - bindSocket.path = mkOption { - type = types.str; - default = "/run/rmilter/rmilter.sock"; - description = '' - Path to Unix domain socket to listen on. - ''; - }; - - bindSocket.address = mkOption { - type = types.str; - default = "::1"; - example = "0.0.0.0"; - description = '' - Inet address to listen on. - ''; - }; - - bindSocket.port = mkOption { - type = types.int; - default = 11990; - description = '' - Inet port to listen on. - ''; - }; - - socketActivation = mkOption { - type = types.bool; - default = true; - description = '' - Enable systemd socket activation for rmilter. - - Disabling socket activation is not recommended when a Unix - domain socket is used and could lead to incorrect - permissions. - ''; - }; - - rspamd = { - enable = mkOption { - type = types.bool; - default = rspamdCfg.enable; - description = "Whether to use rspamd to filter mails"; - }; - - servers = mkOption { - type = types.listOf types.str; - default = ["r:/run/rspamd/rspamd.sock"]; - description = '' - Spamd socket definitions. - Is server name is prefixed with r: it is rspamd server. - ''; - }; - - whitelist = mkOption { - type = types.listOf types.str; - default = [ ]; - description = "list of ips or nets that should be not checked with spamd"; - }; - - rejectMessage = mkOption { - type = types.str; - default = "Spam message rejected; If this is not spam contact abuse"; - description = "reject message for spam"; - }; - - extraConfig = mkOption { - type = types.lines; - default = ""; - description = "Custom snippet to append to end of `spamd' section"; - }; - }; - - extraConfig = mkOption { - type = types.lines; - default = ""; - description = "Custom snippet to append to rmilter config"; - }; - - postfix = { - enable = mkOption { - type = types.bool; - default = false; - description = "Add rmilter to postfix main.conf"; - }; - - configFragment = mkOption { - type = types.str; - description = "Addon to postfix configuration"; - default = '' - smtpd_milters = ${rmilterSocket} - milter_protocol = 6 - milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} - ''; - }; - }; - - }; - - }; - - - ###### implementation - - config = mkMerge [ - - (mkIf cfg.enable { - - users.extraUsers = singleton { - name = cfg.user; - description = "rmilter daemon"; - uid = config.ids.uids.rmilter; - group = cfg.group; - }; - - users.extraGroups = singleton { - name = cfg.group; - gid = config.ids.gids.rmilter; - }; - - systemd.services.rmilter = { - description = "Rmilter Service"; - - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - - serviceConfig = { - ExecStart = "${pkgs.rmilter}/bin/rmilter ${optionalString cfg.debug "-d"} -n -c ${rmilterConfigFile}"; - ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID"; - User = cfg.user; - Group = cfg.group; - PermissionsStartOnly = true; - Restart = "always"; - RuntimeDirectory = "rmilter"; - RuntimeDirectoryMode = "0750"; - }; - - }; - - systemd.sockets.rmilter = mkIf cfg.socketActivation { - description = "Rmilter service socket"; - wantedBy = [ "sockets.target" ]; - socketConfig = { - ListenStream = systemdSocket; - SocketUser = cfg.user; - SocketGroup = cfg.group; - SocketMode = "0660"; - }; - }; - }) - - (mkIf (cfg.enable && cfg.rspamd.enable && rspamdCfg.enable) { - users.extraUsers.${cfg.user}.extraGroups = [ rspamdCfg.group ]; - }) - - (mkIf (cfg.enable && cfg.postfix.enable) { - services.postfix.extraConfig = cfg.postfix.configFragment; - users.extraUsers.${postfixCfg.user}.extraGroups = [ cfg.group ]; - }) - ]; -} diff --git a/pkgs/servers/mail/rmilter/default.nix b/pkgs/servers/mail/rmilter/default.nix deleted file mode 100644 index 739270326e5b6..0000000000000 --- a/pkgs/servers/mail/rmilter/default.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ stdenv, fetchFromGitHub, cmake, bison, flex, pkgconfig, openssl, pcre -, libmilter, opendkim, libmemcached, glib }: - -let patchedLibmilter = stdenv.lib.overrideDerivation libmilter (_ : { - patches = libmilter.patches ++ [ ./fd-passing-libmilter.patch ]; -}); -in - -stdenv.mkDerivation rec { - name = "rmilter-${version}"; - version = "1.10.0"; - - src = fetchFromGitHub { - owner = "vstakhov"; - repo = "rmilter"; - rev = version; - sha256 = "1gbp6jah88l6xqgflim01ycyp63l733bgir65fxnnrmifj1qzymh"; - }; - - nativeBuildInputs = [ bison cmake flex pkgconfig ]; - buildInputs = [ libmemcached patchedLibmilter openssl pcre opendkim glib ]; - - meta = with stdenv.lib; { - homepage = https://github.com/vstakhov/rmilter; - license = licenses.asl20; - description = '' - Daemon to integrate rspamd and milter compatible MTA, for example - postfix or sendmail - ''; - maintainers = with maintainers; [ avnik fpletz ]; - platforms = with platforms; linux; - }; -} diff --git a/pkgs/servers/mail/rmilter/fd-passing-libmilter.patch b/pkgs/servers/mail/rmilter/fd-passing-libmilter.patch deleted file mode 100644 index 3ab61a6fab007..0000000000000 --- a/pkgs/servers/mail/rmilter/fd-passing-libmilter.patch +++ /dev/null @@ -1,80 +0,0 @@ -Description: systemd-like socket activation support for libmilter -Author: Mikhail Gusarov {unix|local}:/path/to/file -- A named pipe. -
  • inet:port@{hostname|ip-address} -- An IPV4 socket. -
  • inet6:port@{hostname|ip-address} -- An IPV6 socket. -+
  • fd:number -- Pre-opened file descriptor. - - - -diff --git a/libmilter/listener.c b/libmilter/listener.c -index 48c552f..2249a1f 100644 ---- a/libmilter/listener.c -+++ b/libmilter/listener.c -@@ -197,6 +197,11 @@ mi_milteropen(conn, backlog, rmsocket, name) - L_socksize = sizeof addr.sin6; - } - #endif /* NETINET6 */ -+ else if (strcasecmp(p, "fd") == 0) -+ { -+ addr.sa.sa_family = AF_UNSPEC; -+ L_socksize = sizeof (_SOCK_ADDR); -+ } - else - { - smi_log(SMI_LOG_ERR, "%s: unknown socket type %s", -@@ -443,7 +448,21 @@ mi_milteropen(conn, backlog, rmsocket, name) - } - #endif /* NETINET || NETINET6 */ - -- sock = socket(addr.sa.sa_family, SOCK_STREAM, 0); -+ if (addr.sa.sa_family == AF_UNSPEC) -+ { -+ char *end; -+ sock = strtol(colon, &end, 10); -+ if (*end != '\0' || sock < 0) -+ { -+ smi_log(SMI_LOG_ERR, "%s: expected positive integer as fd, got %s", name, colon); -+ return INVALID_SOCKET; -+ } -+ } -+ else -+ { -+ sock = socket(addr.sa.sa_family, SOCK_STREAM, 0); -+ } -+ - if (!ValidSocket(sock)) - { - smi_log(SMI_LOG_ERR, -@@ -466,6 +485,7 @@ mi_milteropen(conn, backlog, rmsocket, name) - #if NETUNIX - addr.sa.sa_family != AF_UNIX && - #endif /* NETUNIX */ -+ addr.sa.sa_family != AF_UNSPEC && - setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *) &sockopt, - sizeof(sockopt)) == -1) - { -@@ -511,7 +531,8 @@ mi_milteropen(conn, backlog, rmsocket, name) - } - #endif /* NETUNIX */ - -- if (bind(sock, &addr.sa, L_socksize) < 0) -+ if (addr.sa.sa_family != AF_UNSPEC && -+ bind(sock, &addr.sa, L_socksize) < 0) - { - smi_log(SMI_LOG_ERR, - "%s: Unable to bind to port %s: %s", -@@ -817,7 +838,7 @@ mi_listener(conn, dbg, smfi, timeout, backlog) - # ifdef BSD4_4_SOCKADDR - cliaddr.sa.sa_len == 0 || - # endif /* BSD4_4_SOCKADDR */ -- cliaddr.sa.sa_family != L_family)) -+ (L_family != AF_UNSPEC && cliaddr.sa.sa_family != L_family))) - { - (void) closesocket(connfd); - connfd = INVALID_SOCKET; diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index d6759098dfaa5..254bf77d84baa 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -12627,8 +12627,6 @@ with pkgs; postsrsd = callPackage ../servers/mail/postsrsd { }; - rmilter = callPackage ../servers/mail/rmilter { }; - rspamd = callPackage ../servers/mail/rspamd { }; pfixtools = callPackage ../servers/mail/postfix/pfixtools.nix { From ceb90ac5e8ac90484d5984dc0ebdaeb7cb2b1b20 Mon Sep 17 00:00:00 2001 From: Satoshi Shishiku Date: Sun, 13 May 2018 09:18:19 +0000 Subject: [PATCH 3/5] rspamd: 1.6.6 -> 1.7.4 --- pkgs/servers/mail/rspamd/default.nix | 24 ++++++++++-------------- 1 file changed, 10 insertions(+), 14 deletions(-) diff --git a/pkgs/servers/mail/rspamd/default.nix b/pkgs/servers/mail/rspamd/default.nix index 3e31327980683..034f2e700effd 100644 --- a/pkgs/servers/mail/rspamd/default.nix +++ b/pkgs/servers/mail/rspamd/default.nix @@ -6,29 +6,25 @@ in stdenv.mkDerivation rec { name = "rspamd-${version}"; - version = "1.6.6"; + version = "1.7.4"; src = fetchFromGitHub { owner = "vstakhov"; repo = "rspamd"; rev = version; - sha256 = "04jqrki7rlxywdig264kavy1h5882rspi2drkbdzrk35jjq8rh3h"; + sha256 = "1iba6mpha1ikybn9qnvgxzh6pjw5yj5aipamd586rfb0j9lbwsd5"; }; nativeBuildInputs = [ cmake pkgconfig perl ]; - buildInputs = [ glib gmime libevent libmagic luajit openssl pcre sqlite ragel icu libfann]; + buildInputs = [ glib gmime libevent libmagic luajit openssl pcre sqlite ragel icu libfann ]; - postPatch = '' - substituteInPlace conf/common.conf --replace "\$CONFDIR/rspamd.conf.local" "/etc/rspamd/rspamd.conf.local" - substituteInPlace conf/common.conf --replace "\$CONFDIR/rspamd.conf.local.override" "/etc/rspamd/rspamd.conf.local.override" - ''; - - cmakeFlags = '' - -DDEBIAN_BUILD=ON - -DRUNDIR=/var/run/rspamd - -DDBDIR=/var/lib/rspamd - -DLOGDIR=/var/log/rspamd - ''; + cmakeFlags = [ + "-DDEBIAN_BUILD=ON" + "-DRUNDIR=/var/run/rspamd" + "-DDBDIR=/var/lib/rspamd" + "-DLOGDIR=/var/log/rspamd" + "-DLOCAL_CONFDIR=/etc/rspamd" + ]; meta = with stdenv.lib; { homepage = https://github.com/vstakhov/rspamd; From 87957763d11a3b19b2defdfb99ca9ea4386147b0 Mon Sep 17 00:00:00 2001 From: Satoshi Shishiku Date: Sun, 13 May 2018 10:09:57 +0000 Subject: [PATCH 4/5] rspamd: update configuration Add locals and overrides to configure individual modules. Improve default configuration. Enable controller and milter proxy by default with unix sockets. Fix aliases, before they overrode module defaults. Fix types in submodules. Add postfix configuration for quick integration. Fix service dependencies so that systemd sockets aren't removed. --- nixos/doc/manual/release-notes/rl-1809.xml | 8 ++ nixos/modules/services/mail/rspamd.nix | 147 ++++++++++++++------- 2 files changed, 108 insertions(+), 47 deletions(-) diff --git a/nixos/doc/manual/release-notes/rl-1809.xml b/nixos/doc/manual/release-notes/rl-1809.xml index 01b5e9d77460d..ef4c290569559 100644 --- a/nixos/doc/manual/release-notes/rl-1809.xml +++ b/nixos/doc/manual/release-notes/rl-1809.xml @@ -233,6 +233,14 @@ $ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull' networking.networkmanager.dns instead. + + + services.rmilter has been deprecated and corresponding package removed. + rspamd now listens on a UNIX socket by default. Use services.rspamd.postfix.enable + instead of services.rmilter.postfix.enable for quick Postfix integration. + + + diff --git a/nixos/modules/services/mail/rspamd.nix b/nixos/modules/services/mail/rspamd.nix index 09fb587e74b56..c0abefc329d4a 100644 --- a/nixos/modules/services/mail/rspamd.nix +++ b/nixos/modules/services/mail/rspamd.nix @@ -18,7 +18,7 @@ let }; mode = mkOption { type = types.str; - default = "0644"; + default = "0660"; description = "Mode to set on unix socket"; }; owner = mkOption { @@ -60,6 +60,7 @@ let type = types.nullOr (types.enum [ "normal" "controller" "fuzzy_storage" "proxy" "lua" ]); + default = null; description = "The type of this worker"; }; bindSockets = mkOption { @@ -99,19 +100,23 @@ let description = "Additional entries to put verbatim into worker section of rspamd config file."; }; }; - config = mkIf (name == "normal" || name == "controller" || name == "fuzzy") { - type = mkDefault name; - includes = mkDefault [ "$CONFDIR/worker-${name}.inc" ]; - bindSockets = mkDefault (if name == "normal" - then [{ - socket = "/run/rspamd/rspamd.sock"; - mode = "0660"; - owner = cfg.user; - group = cfg.group; - }] - else if name == "controller" - then [ "localhost:11334" ] - else [] ); + config = mkIf (name == "normal" || name == "controller" || name == "fuzzy" || name == "rspamd_proxy") { + includes = mkDefault [ "$CONFDIR/worker-${if name == "rspamd_proxy" then "proxy" else name}.inc" ]; + bindSockets = + let unixSocket = name: { + socket = "/run/rspamd/${name}.sock"; + owner = cfg.user; + group = cfg.group; + }; in mkDefault ( + if name == "normal" then [ (unixSocket "rspamd") ] + else if name == "controller" then [ (unixSocket "controller") ] + else if name == "rspamd_proxy" then [ (unixSocket "proxy") ] + else [] ); + extraConfig = mkIf (name == "rspamd_proxy") (mkDefault '' + upstream "local" { + self_scan = yes; + } + ''); }; }; @@ -146,23 +151,22 @@ let in (imap (idx: e: "bind_socket = \"systemd:${toString (systemd + idx - 1)}\";") (listenStreams each.socket)) else "bind_socket = \"${each.rawEntry}\";") socks)); - rspamdConfFile = pkgs.writeText "rspamd.conf" - '' - .include "$CONFDIR/common.conf" - - options { - pidfile = "$RUNDIR/rspamd.pid"; - .include "$CONFDIR/options.inc" - } - - logging { - type = "syslog"; - .include "$CONFDIR/logging.inc" - } + rspamdConf = pkgs.symlinkJoin { + name = "rspamd-conf"; + paths = + let + makeConfigs = prefix: attrs: mapAttrsToList (name: text: pkgs.writeTextFile { inherit name text; destination = "/${prefix}/${name}"; }) attrs; + localFiles = makeConfigs "local.d" cfg.locals; + overrideFiles = makeConfigs "override.d" cfg.overrides; + in [ rspamdConfFile ] ++ localFiles ++ overrideFiles; + }; + rspamdConfFile = pkgs.writeTextDir "rspamd.conf.override" + '' ${concatStringsSep "\n" (mapAttrsToList (name: value: '' - worker ${optionalString (value.name != "normal" && value.name != "controller") "${value.name}"} { - type = "${value.type}"; + worker ${optionalString (value.name != null) ''"${value.name}"''} { + ${optionalString (value.type != null) + ''type = "${value.type}";''} ${optionalString (value.enable != null) "enabled = ${if value.enable != false then "yes" else "no"};"} ${mkBindSockets value.enable value.bindSockets} @@ -212,19 +216,35 @@ in ''; }; + locals = mkOption { + type = with types; attrsOf lines; + default = {}; + description = '' + Local configuration files, written into /etc/rspamd/local.d/{name}. + ''; + }; + + overrides = mkOption { + type = with types; attrsOf lines; + default = {}; + description = '' + Overridden configuration files, written into /etc/rspamd/override.d/{name}. + ''; + }; + workers = mkOption { type = with types; attrsOf (submodule workerOpts); description = '' - Attribute set of workers to start. + Attribute set of workers to start. By default, controller and + self-scanning proxy worker are started. ''; default = { - normal = {}; controller = {}; + rspamd_proxy = {}; }; example = literalExample '' { normal = { - includes = [ "$CONFDIR/worker-normal.inc" ]; bindSockets = [{ socket = "/run/rspamd/rspamd.sock"; mode = "0660"; @@ -233,7 +253,6 @@ in }]; }; controller = { - includes = [ "$CONFDIR/worker-controller.inc" ]; bindSockets = [ "[::1]:11334" ]; }; } @@ -263,7 +282,15 @@ in description = '' Group to use when no root privileges are required. ''; - }; + }; + + postfix = { + enable = mkOption { + type = types.bool; + default = false; + description = "Add rspamd milter proxy to postfix main.conf"; + }; + }; }; }; @@ -272,8 +299,6 @@ in config = mkIf cfg.enable { - services.rspamd.socketActivation = mkDefault (!opts.bindSocket.isDefined && !opts.bindUISocket.isDefined); - assertions = [ { assertion = !cfg.socketActivation || !(opts.bindSocket.isDefined || opts.bindUISocket.isDefined); message = "Can't use socketActivation for rspamd when using renamed bind socket options"; @@ -294,20 +319,44 @@ in gid = config.ids.gids.rspamd; }; - environment.etc."rspamd.conf".source = rspamdConfFile; + services.rspamd = { + socketActivation = mkDefault (!opts.bindSocket.isDefined && !opts.bindUISocket.isDefined); + + workers = mkIf cfg.postfix.enable { + controller = {}; + rspamd_proxy = { + bindSockets = [ { + socket = "/var/lib/postfix/queue/private/rspamd"; + owner = "rspamd"; + group = "postfix"; + } ]; + }; + }; + + overrides."logging.inc" = mkDefault '' + type = "syslog"; + ''; + }; + + services.postfix.extraConfig = mkIf cfg.postfix.enable '' + smtpd_milters = unix:private/rspamd + non_smtpd_milters = $smtpd_milters + milter_protocol = 6 + ''; + + environment.etc."rspamd".source = rspamdConf; systemd.services.rspamd = { description = "Rspamd Service"; wantedBy = mkIf (!cfg.socketActivation) [ "multi-user.target" ]; - after = [ "network.target" ] ++ - (if cfg.socketActivation then allSocketNames else []); - requires = mkIf cfg.socketActivation allSocketNames; + after = [ "network.target" ]; + restartTriggers = [ rspamdConf ]; serviceConfig = { - ExecStart = "${pkgs.rspamd}/bin/rspamd ${optionalString cfg.debug "-d"} --user=${cfg.user} --group=${cfg.group} --pid=/run/rspamd.pid -c ${rspamdConfFile} -f"; - Restart = "always"; - RuntimeDirectory = "rspamd"; + ExecStart = "${pkgs.rspamd}/bin/rspamd ${optionalString cfg.debug "-d"} --user=${cfg.user} --group=${cfg.group} --pid=/run/rspamd.pid -f"; + Restart = "on-failure"; + RuntimeDirectory = mkIf (!cfg.socketActivation) "rspamd"; PrivateTmp = true; Sockets = mkIf cfg.socketActivation (concatStringsSep " " allSocketNames); }; @@ -323,6 +372,7 @@ in value = { description = "Rspamd socket ${toString each.index} for worker ${each.name}"; wantedBy = [ "sockets.target" ]; + after = optional (each.name == "rspamd_proxy") "postfix.service"; listenStreams = (listenStreams each.value.socket); socketConfig = { BindIPv6Only = mkIf (isIPv6Socket each.value.socket) "ipv6-only"; @@ -334,8 +384,11 @@ in }; }) allMappedSockets)); }; - imports = [ - (mkRenamedOptionModule [ "services" "rspamd" "bindSocket" ] [ "services" "rspamd" "workers" "normal" "bindSockets" ]) - (mkRenamedOptionModule [ "services" "rspamd" "bindUISocket" ] [ "services" "rspamd" "workers" "controller" "bindSockets" ]) - ]; + + imports = + let mkMappedOptionModule = from: to: changeFn: mkChangedOptionModule from to (config: changeFn config (getAttrFromPath from config)); + in [ + (mkMappedOptionModule [ "services" "rspamd" "bindSocket" ] [ "services" "rspamd" "workers" ] (config: value: { normal.bindSockets = value; })) + (mkMappedOptionModule [ "services" "rspamd" "bindUISocket" ] [ "services" "rspamd" "workers" ] (config: value: { controller.bindSockets = value; })) + ]; } From 187ac3ee0683fd26d24fae7045bf9c5b7efc6c36 Mon Sep 17 00:00:00 2001 From: Satoshi Shishiku Date: Sun, 13 May 2018 15:24:20 +0300 Subject: [PATCH 5/5] rspamd test: update Use unix sockets, don't test IPv6, general cleanup. --- nixos/tests/rspamd.nix | 32 +++++++------------------------- 1 file changed, 7 insertions(+), 25 deletions(-) diff --git a/nixos/tests/rspamd.nix b/nixos/tests/rspamd.nix index 6b2e2dd3a5317..4df60a4f1212e 100644 --- a/nixos/tests/rspamd.nix +++ b/nixos/tests/rspamd.nix @@ -4,7 +4,7 @@ with pkgs.lib; let initMachine = '' startAll - $machine->waitForUnit("rspamd.service"); + $machine->waitForUnit("multi-user.target"); $machine->succeed("id \"rspamd\" >/dev/null"); ''; checkSocket = socket: user: group: mode: '' @@ -13,45 +13,30 @@ let $machine->succeed("[[ \"\$(stat -c %G ${socket})\" == \"${group}\" ]]"); $machine->succeed("[[ \"\$(stat -c %a ${socket})\" == \"${mode}\" ]]"); ''; - simple = name: socketActivation: enableIPv6: makeTest { + simple = name: socketActivation: makeTest { name = "rspamd-${name}"; machine = { services.rspamd = { enable = true; socketActivation = socketActivation; }; - networking.enableIPv6 = enableIPv6; }; testScript = '' - startAll - $machine->waitForUnit("multi-user.target"); - $machine->waitForOpenPort(11334); - $machine->waitForUnit("rspamd.service"); - $machine->succeed("id \"rspamd\" >/dev/null"); - ${checkSocket "/run/rspamd/rspamd.sock" "rspamd" "rspamd" "660" } - sleep 10; - $machine->log($machine->succeed("cat /etc/rspamd.conf")); + ${initMachine} $machine->log($machine->succeed("systemctl cat rspamd.service")); ${if socketActivation then '' $machine->log($machine->succeed("systemctl cat rspamd-controller-1.socket")); - $machine->log($machine->succeed("systemctl cat rspamd-normal-1.socket")); '' else '' $machine->fail("systemctl cat rspamd-controller-1.socket"); - $machine->fail("systemctl cat rspamd-normal-1.socket"); - ''} - $machine->log($machine->succeed("curl http://localhost:11334/auth")); - $machine->log($machine->succeed("curl http://127.0.0.1:11334/auth")); - ${optionalString enableIPv6 '' - $machine->log($machine->succeed("curl http://[::1]:11334/auth")); + $machine->waitForFile("/run/rspamd/controller.sock"); ''} + $machine->log($machine->succeed("curl --unix-socket /run/rspamd/controller.sock http://localhost/auth")); ''; }; in { - simple = simple "simple" false true; - ipv4only = simple "ipv4only" false false; - simple-socketActivated = simple "simple-socketActivated" true true; - ipv4only-socketActivated = simple "ipv4only-socketActivated" true false; + simple = simple "simple" false; + simple-socketActivated = simple "simple-socketActivated" true; deprecated = makeTest { name = "rspamd-deprecated"; machine = { @@ -67,7 +52,6 @@ in $machine->waitForFile("/run/rspamd.sock"); ${checkSocket "/run/rspamd.sock" "root" "root" "600" } ${checkSocket "/run/rspamd-worker.sock" "root" "root" "666" } - $machine->log($machine->succeed("cat /etc/rspamd.conf")); $machine->fail("systemctl cat rspamd-normal-1.socket"); $machine->log($machine->succeed("rspamc -h /run/rspamd-worker.sock stat")); $machine->log($machine->succeed("curl --unix-socket /run/rspamd-worker.sock http://localhost/ping")); @@ -100,7 +84,6 @@ in $machine->waitForFile("/run/rspamd.sock"); ${checkSocket "/run/rspamd.sock" "root" "root" "600" } ${checkSocket "/run/rspamd-worker.sock" "root" "root" "666" } - $machine->log($machine->succeed("cat /etc/rspamd.conf")); $machine->fail("systemctl cat rspamd-normal-1.socket"); $machine->log($machine->succeed("rspamc -h /run/rspamd-worker.sock stat")); $machine->log($machine->succeed("curl --unix-socket /run/rspamd-worker.sock http://localhost/ping")); @@ -131,7 +114,6 @@ in $machine->waitForFile("/run/rspamd.sock"); ${checkSocket "/run/rspamd.sock" "root" "root" "600" } ${checkSocket "/run/rspamd-worker.sock" "root" "root" "666" } - $machine->log($machine->succeed("cat /etc/rspamd.conf")); $machine->log($machine->succeed("systemctl cat rspamd-normal-1.socket")); $machine->log($machine->succeed("rspamc -h /run/rspamd-worker.sock stat")); $machine->log($machine->succeed("curl --unix-socket /run/rspamd-worker.sock http://localhost/ping"));