nixos/redis: loosen systemd address family restrictions

Do not assume that port and unixSocket are the only options that affect
address families used by Redis. There are other options, e.g. tls-port,
and also clustered setup that are not covered by the declarative
configuration. Instead of trying to selectively restrict unused address
families based on the configuration, limit address families to IP and
Unix sockets and let users lib.mkForce a stricter sandboxing is needed.

See also
https://docs.redis.com/latest/rs/networking/port-configurations/

1 files changed, 1 insertions, 3 deletions

diff --git a/nixos/modules/services/databases/redis.nix b/nixos/modules/services/databases/redis.nix
index 1464f4487e39..e2363ec3bc0e 100644
--- a/nixos/modules/services/databases/redis.nix
+++ b/nixos/modules/services/databases/redis.nix
@@ -393,9 +393,7 @@ in {
         ProtectKernelModules = true;
         ProtectKernelTunables = true;
         ProtectControlGroups = true;
-        RestrictAddressFamilies =
-          optionals (conf.port != 0) ["AF_INET" "AF_INET6"] ++
-          optional (conf.unixSocket != null) "AF_UNIX";
+        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
         RestrictNamespaces = true;
         LockPersonality = true;
         MemoryDenyWriteExecute = true;