rspamd: Use redis over a unix socket by default

Both rspamd and redis run on the same host by default, so a UNIX domain socket is the cheapest way to facilitate that communication. It also allows us to get rid of overly complicated IP adddress parsing logic, that we can shift onto the user if they need it.
2025-04-28 18:40:52 +05:00 · 2025-04-13 03:54:51 +02:00 · 2025-04-13 03:54:51 +02:00 · 745c6ee861
commit 745c6ee861
parent 7bdf5003c7
3 changed files with 22 additions and 21 deletions
--- a/default.nix
+++ b/default.nix
@ -944,28 +944,19 @@ in
      address = mkOption {
        type = types.str;
        # read the default from nixos' redis module
-        default = let
-          cf = config.services.redis.servers.rspamd.bind;
-          cfdefault = if cf == null then "127.0.0.1" else cf;
-          ips = lib.strings.splitString " " cfdefault;
-          ip = lib.lists.head (ips ++ [ "127.0.0.1" ]);
-          isIpv6 = ip: lib.lists.elem ":" (lib.stringToCharacters ip);
-        in
-        if (ip == "0.0.0.0" || ip == "::")
-        then "127.0.0.1"
-        else if isIpv6 ip then "[${ip}]" else ip;
-        defaultText = lib.literalMD "computed from `config.services.redis.servers.rspamd.bind`";
+        default = config.services.redis.servers.rspamd.unixSocket;
+        defaultText = lib.literalExpression "config.services.redis.servers.rspamd.unixSocket";
        description = ''
-          Address that rspamd should use to contact redis.
+          Path, IP address or hostname that Rspamd should use to contact Redis.
        '';
      };

      port = mkOption {
-        type = types.port;
-        default = config.services.redis.servers.rspamd.port;
-        defaultText = lib.literalExpression "config.services.redis.servers.rspamd.port";
+        type = with types; nullOr port;
+        default = null;
+        example = lib.literalExpression "config.services.redis.servers.rspamd.port";
        description = ''
-          Port that rspamd should use to contact redis.
+          Port that Rspamd should use to contact Redis.
        '';
      };

--- a/docs/release-notes.rst
+++ b/docs/release-notes.rst
@ -1,6 +1,14 @@
 Release Notes
 =============

+NixOS 25.05
+-----------
+
+- Rspamd now connects to Redis over its Unix Domain Socket by default
+  (`merge request <https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/merge_requests/375` __)
+  - If you need to revert TCP connections, configure ``mailserver.redis.address`
+    to reference the value of ``config.services.redis.servers.rspamd.bind``.
+
 NixOS 24.11
 -----------

--- a/mail-server/rspamd.nix
+++ b/mail-server/rspamd.nix
@ -42,7 +42,11 @@ in
              extended_spam_headers = true;
          ''; };
          "redis.conf" = { text = ''
-              servers = "${cfg.redis.address}:${toString cfg.redis.port}";
+              servers = "${if cfg.redis.port == null
+                then
+                  cfg.redis.address
+                else
+                  "${cfg.redis.address}:${toString cfg.redis.port}"}";
          '' + (lib.optionalString (cfg.redis.password != null) ''
              password = "${cfg.redis.password}";
          ''); };
@ -113,14 +117,12 @@ in

    };

-    services.redis.servers.rspamd = {
-      enable = lib.mkDefault true;
-      port = lib.mkDefault 6380;
-    };
+    services.redis.servers.rspamd.enable = lib.mkDefault true;

    systemd.services.rspamd = {
      requires = [ "redis-rspamd.service" ] ++ (lib.optional cfg.virusScanning "clamav-daemon.service");
      after = [ "redis-rspamd.service" ] ++ (lib.optional cfg.virusScanning "clamav-daemon.service");
+      serviceConfig.SupplementaryGroups = [ config.services.redis.servers.rspamd.group ];
    };

    systemd.services.rspamd-dmarc-reporter = lib.optionalAttrs (cfg.dmarcReporting.enable) {