rmilter/rspamd service: tighten unix socket permissions

1 files changed, 8 insertions, 5 deletions

diff --git a/nixos/modules/services/mail/rmilter.nix b/nixos/modules/services/mail/rmilter.nix
index 3153b1c79124..e17b7516bfff 100644
--- a/nixos/modules/services/mail/rmilter.nix
+++ b/nixos/modules/services/mail/rmilter.nix
@@ -5,6 +5,7 @@ with lib;
 let
 
   rspamdCfg = config.services.rspamd;
+  postfixCfg = config.services.postfix;
   cfg = config.services.rmilter;
 
   inetSocket = addr: port: "inet:[${toString port}@${addr}]";
@@ -219,7 +220,7 @@ in
           PermissionsStartOnly = true;
           Restart = "always";
           RuntimeDirectory = "rmilter";
-          RuntimeDirectoryMode = "0755";
+          RuntimeDirectoryMode = "0750";
         };
 
       };
@@ -231,16 +232,18 @@ in
           ListenStream = systemdSocket;
           SocketUser = cfg.user;
           SocketGroup = cfg.group;
-          SocketMode = "0666";
+          SocketMode = "0660";
         };
       };
     })
 
-    (mkIf (cfg.enable && cfg.postfix.enable) {
+    (mkIf (cfg.enable && cfg.rspamd.enable && rspamdCfg.enable) {
+      users.extraUsers.${cfg.user}.extraGroups = [ rspamdCfg.group ];
+    })
 
+    (mkIf (cfg.enable && cfg.postfix.enable) {
       services.postfix.extraConfig = cfg.postfix.configFragment;
-      users.users.postfix.extraGroups = [ cfg.group ];
-
+      users.extraUsers.${postfixCfg.user}.extraGroups = [ cfg.group ];
     })
   ];
 }