[PATCH] services: Add rspamd-service-type.

> * gnu/services/mail.scm (rspamd-service-type): New variable.

> * gnu/tests/mail.scm (%test-rspamd): New variable.

> * doc/guix.texi: Document it.

> ---

>

> Hey Guix!

>

> First time contributor here, this patch

> introduces some basic support for rspamd.

>

> I do need guidance on some points.

>

> How to handle the extra configs that a user can

> provide to rspamd?

>

> On your average linux distro rspamd does expects

> you to not touch the rspamd.conf and instead put

> your changes in the /etc/rspamd/{local.d,override.d} directories

> (local is enough to redefine most settings, but if there are changes made via the web ui, the web ui changes takes precedence, you need to use override.d if you want to freeze a setting.)

>

> For example to set the password of the web ui

> you're supposed to create /etc/rspamd/local.d/worker-controller.inc

> and then set password = "some_hash";

>

> Then this will get merged with the config

> as something like:

>

> worker {

> type = "controller";

> password = "some_hash";

> }

>

> The point is we could ignore local.d/override.d

> and write these blocks directly to rspamd.conf.

>

> Of course it needs some additionals configuration records for the workers and the common options

> between them.

>

> And finally for the test I do plan to add integration test with opensmtpd when I get the time.

>

> Are there examples of such integration test?

> +

> +@deftp {Data Type} rspamd-configuration

> +Data type representing the configuration of @command{rspamd}.

> +

> +@table @asis

> +@item @code{package} (default: @code{rspamd})

> +The package that provides @command{rspamd}.

> +

> +@item @code{config-file} (default: @code{%default-rspamd-config-file})

> +File-like object of the configuration file to use. By default

> +all workers are enabled except fuzzy and they are binded

> +to their usual ports, e.g localhost:11334, localhost:11333 and so on.

> +

> +@item @code{user} (default: @code{"rspamd"})

> +The user to run rspamd as.

> +

> +@item @code{group} (default: @code{"rspamd"})

> +The user to run rspamd as.

> +

> +@item @code{pid-file} (default: @code{"/var/run/rspamd/rspamd.pid"})

> +Where to store the PID file.

> +

> +@item @code{debug?} (default: @code{#f})

> +Force debug output.

> +

> +@item @code{insecure?} (default: @code{#f})

> +Ignore running workers as privileged users (insecure).

> +

> +@item @code{skip-template?} (default: @code{#f})

> +Do not apply Jinja templates.

> +

> +@end table

> +@end deftp

> +

> +;;;

> +;;; Rspamd.

> +;;;

> +

> +(define-maybe boolean)

> +

> +(define-configuration rspamd-configuration

> + (package

> + (file-like rspamd)

> + "The package that provides rspamd."

> + empty-serializer)

> + (config-file

> + (file-like %default-rspamd-config-file)

> + "File-like object of the configuration file to use. By default

> +all workers are enabled except fuzzy and they are binded

> +to their usual ports, e.g localhost:11334, localhost:11333 and so on")

> + (user

> + (string "rspamd")

> + "The user to run rspamd as."

> + empty-serializer)

> + (group

> + (string "rspamd")

> + "The group to run rspamd as."

> + empty-serializer)

> + (pid-file

> + (string "/var/run/rspamd/rspamd.pid")

> + "Where to store the PID file."

> + empty-serializer)

> + (debug?

> + maybe-boolean

> + "Force debug output."

> + empty-serializer)

> + (insecure?

> + maybe-boolean

> + "Ignore running workers as privileged users (insecure)."

> + empty-serializer)

> + (skip-template?

> + maybe-boolean

> + "Do not apply Jinja templates."

> + empty-serializer))

> +

> +(define (rspamd-activation config)

> + (match-record config <rspamd-configuration>

> + (package config-file user)

> + #~(begin

> + (use-modules (guix build utils)

> + (ice-9 match))

> + (let ((user (getpwnam #$user)))

> + (mkdir-p/perms "/etc/rspamd" user #o755)

> + (mkdir-p/perms "/etc/rspamd/local.d" user #o755)

> + (mkdir-p/perms "/etc/rspamd/override.d" user #o755)

> + (mkdir-p/perms "/var/run/rspamd" user #o755)

> + (mkdir-p/perms "/var/log/rspamd" user #o755)

> + (mkdir-p/perms "/var/lib/rspamd" user #o755))

> + ;; Check configuration file syntax.

> + (system* (string-append #$package "/bin/rspamadm")

> + "configtest"

> + "-c" #$config-file))))

> +

> +(define rspamd-profile

> + (compose list rspamd-configuration-package))

> diff --git a/gnu/tests/mail.scm b/gnu/tests/mail.scm

> index f13751b72f..f532d30805 100644

> Hi,

>

> On 2023-02-23 20:16, Thomas Ieong wrote:

>> * gnu/services/mail.scm (rspamd-service-type): New variable.

>> * gnu/tests/mail.scm (%test-rspamd): New variable.

>> * doc/guix.texi: Document it.

>> ---

>>

>> Hey Guix!

>>

>> First time contributor here, this patch

>> introduces some basic support for rspamd.

>>

>> I do need guidance on some points.

>>

>> How to handle the extra configs that a user can

>> provide to rspamd?

>>

>> On your average linux distro rspamd does expects

>> you to not touch the rspamd.conf and instead put

>> your changes in the /etc/rspamd/{local.d,override.d} directories

>> (local is enough to redefine most settings, but if there are changes made via the web ui, the web ui changes takes precedence, you need to use override.d if you want to freeze a setting.)

>>

>> For example to set the password of the web ui

>> you're supposed to create /etc/rspamd/local.d/worker-controller.inc

>> and then set password = "some_hash";

>>

>> Then this will get merged with the config

>> as something like:

>>

>> worker {

>> type = "controller";

>> password = "some_hash";

>> }

>>

>> The point is we could ignore local.d/override.d

>> and write these blocks directly to rspamd.conf.

>

> For most services, the configuration is expected to be read-only (and generated & managed by guix)

> though it is possible to have a mix of non guix-managed config files (but discouraged).

>

> If you simply want to store the configuration in separate files, pulseaudio-service-type and mympd-service-type is an example that can do this.

>

>>

>> Of course it needs some additionals configuration records for the workers and the common options

>> between them.

>>

>> And finally for the test I do plan to add integration test with opensmtpd when I get the time.

>>

>> Are there examples of such integration test?

>

> Specific examples no but gnu/tests/ contains many tests of varying complexity that could serve as inspiration.

> See the NFS or web server tests.

>

>> +

>> +@deftp {Data Type} rspamd-configuration

>> +Data type representing the configuration of @command{rspamd}.

>> +

>> +@table @asis

>> +@item @code{package} (default: @code{rspamd})

>> +The package that provides @command{rspamd}.

>> +

>> +@item @code{config-file} (default: @code{%default-rspamd-config-file})

>> +File-like object of the configuration file to use. By default

>> +all workers are enabled except fuzzy and they are binded

>> +to their usual ports, e.g localhost:11334, localhost:11333 and so on.

>> +

>> +@item @code{user} (default: @code{"rspamd"})

>> +The user to run rspamd as.

>> +

>> +@item @code{group} (default: @code{"rspamd"})

>> +The user to run rspamd as.

>> +

>> +@item @code{pid-file} (default: @code{"/var/run/rspamd/rspamd.pid"})

>> +Where to store the PID file.

>> +

>> +@item @code{debug?} (default: @code{#f})

>> +Force debug output.

>> +

>> +@item @code{insecure?} (default: @code{#f})

>> +Ignore running workers as privileged users (insecure).

>> +

>> +@item @code{skip-template?} (default: @code{#f})

>> +Do not apply Jinja templates.

>> +

>> +@end table

>> +@end deftp

>> +

>

> Was this manually typed? (It seems to be the case since it's missing the field type information)

> You can generate the documentation automatically with configuration->documentation since you're using define-configuration.

>

>> +;;;

>> +;;; Rspamd.

>> +;;;

>> +

>> +(define-maybe boolean)

>> +

>> +(define-configuration rspamd-configuration

>> + (package

>> + (file-like rspamd)

>> + "The package that provides rspamd."

>> + empty-serializer)

>> + (config-file

>> + (file-like %default-rspamd-config-file)

>> + "File-like object of the configuration file to use. By default

>> +all workers are enabled except fuzzy and they are binded

>> +to their usual ports, e.g localhost:11334, localhost:11333 and so on")

>> + (user

>> + (string "rspamd")

>> + "The user to run rspamd as."

>> + empty-serializer)

>> + (group

>> + (string "rspamd")

>> + "The group to run rspamd as."

>> + empty-serializer)

>> + (pid-file

>> + (string "/var/run/rspamd/rspamd.pid")

>> + "Where to store the PID file."

>> + empty-serializer)

>> + (debug?

>> + maybe-boolean

>> + "Force debug output."

>> + empty-serializer)

>> + (insecure?

>> + maybe-boolean

>> + "Ignore running workers as privileged users (insecure)."

>> + empty-serializer)

>> + (skip-template?

>> + maybe-boolean

>> + "Do not apply Jinja templates."

>> + empty-serializer))

>

> If you're not going to use any serializer, you can use define-configuration/no-serialization instead.

>

>> +

>> +(define (rspamd-activation config)

>> + (match-record config <rspamd-configuration>

>> + (package config-file user)

>> + #~(begin

>> + (use-modules (guix build utils)

>> + (ice-9 match))

>> + (let ((user (getpwnam #$user)))

>> + (mkdir-p/perms "/etc/rspamd" user #o755)

>> + (mkdir-p/perms "/etc/rspamd/local.d" user #o755)

>> + (mkdir-p/perms "/etc/rspamd/override.d" user #o755)

>> + (mkdir-p/perms "/var/run/rspamd" user #o755)

>> + (mkdir-p/perms "/var/log/rspamd" user #o755)

>> + (mkdir-p/perms "/var/lib/rspamd" user #o755))

>> + ;; Check configuration file syntax.

>> + (system* (string-append #$package "/bin/rspamadm")

>> + "configtest"

>> + "-c" #$config-file))))

>

> This should be moved into the service constructor. See how mpd-service-type does this.

>

> To expand a bit here, activation-service-type service-extensions are often abused for "pre-service launch tasks"

> but this is incorrect usage (see #60657 which covers the pitfalls on doing so).

>

>> +

>> +(define rspamd-profile

>> + (compose list rspamd-configuration-package))

>

> How about:

> (service-extension profile-service-type

> (compose list rspamd-configuration-package))

>

>

>> diff --git a/gnu/tests/mail.scm b/gnu/tests/mail.scm

>> index f13751b72f..f532d30805 100644

>

> Do not forget to register this file in gnu/local.mk.

>

>

> Cheers,

> Bruno

> Hi Thomas,

>

> It’s been a while. :-) Did you have time to consider Bruno’s

> suggestions to send an updated patch?

>

> https://issues.guix.gnu.org/61740

>

> Thanks,

> Ludo’.

> I happened to need rspamd myself

> Hi Saku,

>

> > I happened to need rspamd myself

>

> So do I but it does not seem to start locally. It created some folders

> and, per the log, the configuration file passed the syntax check, but

> then the boot stalls.

>

> I used (service rspamd-service-type) and nothing else in my system

> configuration. Should it be sufficient? Thanks!

> +(define (directory-tree? xs)

> + (match xs

> + (((file-name file-like) ...)

> + (and (every string? file-name)

> + (every file-like? file-like)))

> + (_ #f)))

> + (user

> + (string "rspamd")

> + "The user to run rspamd as.")

> + (group

> + (string "rspamd")

> + "The group to run rspamd as.")

> + (pid-file

> + (string "/var/run/rspamd/rspamd.pid")

> + "Where to store the PID file.")

> + (insecure?

> + (boolean #f)

> + "Ignore running workers as privileged users (insecure).")

> + (make-forkexec-constructor

> + (list #$rspamd "-c" #$config-file

> + "--var" (string-append "LOCAL_CONFDIR=" #$local-confdir)

> + (service-extension profile-service-type

> + (compose list rspamd-configuration-package))

> +(define %rspamd-os

> + (simple-operating-system

> + (service dhcp-client-service-type)

> + (service rspamd-service-type)))

> + ;; Check that we can access the web ui

> + (test-equal "http-get"

> + 200

> + (begin

> + (let-values (((response text)

> + (http-get "http://localhost:22668/"

> + #:decode-body? #t)))

> + (response-code response))))

> + (test-assert "rspamd pid ready"

> + (marionette-eval

> + '(file-exists? "/var/run/rspamd/rspamd.pid")

> + marionette))

> +(define %test-rspamd

> + (system-test

> + (name "rspamd")

> + (description "Send an email to a running rspamd server.")

> + (value (run-rspamd-test))))

> Hi Saku,

>

> Some comments:

>

> > +(define (directory-tree? xs)

> > + (match xs

> > + (((file-name file-like) ...)

> > + (and (every string? file-name)

> > + (every file-like? file-like)))

> > + (_ #f)))

>

> You can express this more compactly as:

>

> --8<---------------cut here---------------start------------->8---

> (define directory-tree?

> (match-lambda

> ((((? string?) (? file-like?)) ...) #t)

> (_ #f)))

> --8<---------------cut here---------------end--------------->8---

>

> > + (user

> > + (string "rspamd")

> > + "The user to run rspamd as.")

> > + (group

> > + (string "rspamd")

> > + "The group to run rspamd as.")

>

> How about using user-account and user-group records instead? (see

> vnstat-service-type for an example)

>

> > + (pid-file

> > + (string "/var/run/rspamd/rspamd.pid")

> > + "Where to store the PID file.")

>

> Is it useful to expose this?

>

>

> > + (insecure?

> > + (boolean #f)

> > + "Ignore running workers as privileged users (insecure).")

>

> To me it seems redundant to restate “(insecure)” in the description.

>

> > + (make-forkexec-constructor

> > + (list #$rspamd "-c" #$config-file

>

> I'd prefer the long-name --config over the shorter ones here.

> > + "--var" (string-append "LOCAL_CONFDIR=" #$local-confdir)

>

> Curiously I don't see this listed in the 'rspamd' manpage although

> it is on the 'rspamadm' one. Can you confirm whether this works

> and if so, report to upstream that their docs are missing this?

> > + (service-extension profile-service-type

> > + (compose list rspamd-configuration-package))

>

> What's the motivation for adding the rspamd package to the profile?

> > +(define %rspamd-os

> > + (simple-operating-system

> > + (service dhcp-client-service-type)

> > + (service rspamd-service-type)))

>

> Is 'dhcp-client-service-type' needed for this system test?

> I haven't tested it but it looks unnecessary to me.

> > + ;; Check that we can access the web ui

> > + (test-equal "http-get"

> > + 200

> > + (begin

> > + (let-values (((response text)

> > + (http-get "http://localhost:22668/"

> > + #:decode-body? #t)))

> > + (response-code response))))

>

> IMO if you're only interested in the HTTP response code a http-head

> is the better option, unless the program handles those requests

> differently. Also, since 'text' isn't used you can simplify this to:

>

> --8<---------------cut here---------------start------------->8---

> ;; Don't forget to remove the unused (srfi srfi-11) import.

>

> (test-equal "Web UI is accessible"

> 200

> (response-code (http-head "http://localhost:22668/")))

> --8<---------------cut here---------------end--------------->8---

> > + (test-assert "rspamd pid ready"

> > + (marionette-eval

> > + '(file-exists? "/var/run/rspamd/rspamd.pid")

> > + marionette))

>

> There's a procedure dedicated for this:

>

> --8<---------------cut here---------------start------------->8---

> (test-assert "rspamd pid ready"

> (wait-for-file #$(rspamd-configuration-pid-file (rspamd-configuration)) marionette)))

> --8<---------------cut here---------------end--------------->8---

> > +(define %test-rspamd

> > + (system-test

> > + (name "rspamd")

> > + (description "Send an email to a running rspamd server.")

> > + (value (run-rspamd-test))))

>

> I'd change the description to something like "Basic rspamd service test."

> as the current one is misleading.

> On Wed, Dec 06, 2023 at 02:58:19PM +0000, Bruno Victal wrote:

>> On 2023-09-16 21:10, Saku Laesvuori wrote:

>>> + "--var" (string-append "LOCAL_CONFDIR=" #$local-confdir)

>>

>> Curiously I don't see this listed in the 'rspamd' manpage although

>> it is on the 'rspamadm' one. Can you confirm whether this works

>> and if so, report to upstream that their docs are missing this?

>

> It does work; I've used it since before I submitted this patch. The

> `--var` option is listed on `rspamd --help`. Unfortunately, Rspamd

> tracks their issues on Github and I'd prefer not registering an account

> there.

>>> + (service-extension profile-service-type

>>> + (compose list rspamd-configuration-package))

>>

>> What's the motivation for adding the rspamd package to the profile?

>

> That was also there when I picked up this patch. I assume it is added to

> the profile so that the `rspamadm` and `rspamc` programs are available

> and compatible with the daemon. I don't have strong feelings about this

> in either direction.

> +(define (list-of-symbols? x)

> + (and (list? x)

> + (every symbol? x)))

> + (shepherd-action

> + (name 'reopenlog)

> + (documentation "Reopen log files.")

> +(define %rspamd-os

> + (simple-operating-system

> + (service dhcp-client-service-type)

> + (service rspamd-service-type

> + (rspamd-configuration

> + (shepherd-requirements '(networking))

> + (local.d-files `(("worker-controller.inc"

> + ,(plain-file

> + "rspamd-public-web-controller.conf"

> + "bind_socket = \"0.0.0.0:11334\";"))))))))

> +(define (run-rspamd-test)

> + "Return a test of an OS running Rspamd service."

> +

> + (define rspamd-ports

> + '((22668 . 11334))) ;; web controller

> +

> + (define vm

> + (virtual-machine

> + (operating-system (marionette-operating-system

> + %rspamd-os

> + #:imported-modules '((gnu services herd))))

> + (port-forwardings rspamd-ports)))

> + ;; Check that we can access the web ui

> +

> + (test-equal "http-get"

> + 200

> + (response-code (http-get "http://localhost:22668/"))) ; HEAD is unsupported

> >>> + (service-extension profile-service-type

> >>> + (compose list rspamd-configuration-package))

> >>

> >> What's the motivation for adding the rspamd package to the profile?

> >

> > That was also there when I picked up this patch. I assume it is added to

> > the profile so that the `rspamadm` and `rspamc` programs are available

> > and compatible with the daemon. I don't have strong feelings about this

> > in either direction.

>

> I think it's better to omit this, users who are interested in the tools

> can use 'guix shell rspamd'.

> > +(define (list-of-symbols? x)

> > + (and (list? x)

> > + (every symbol? x)))

>

> list-of-symbols? is already defined in (gnu services configuration),

> you can omit this.

> > + (shepherd-action

> > + (name 'reopenlog)

> > + (documentation "Reopen log files.")

>

> Missed this in my previous reply, I'd prefer naming this action as

> 'reopen instead.

> > +(define %rspamd-os

> > + (simple-operating-system

> > + (service dhcp-client-service-type)

>

> […]

>

> > + (service rspamd-service-type

> > + (rspamd-configuration

> > + (shepherd-requirements '(networking))

> > + (local.d-files `(("worker-controller.inc"

> > + ,(plain-file

> > + "rspamd-public-web-controller.conf"

> > + "bind_socket = \"0.0.0.0:11334\";"))))))))

>

> I wonder if you could remove dhcp-client-service-type and use the

> loopback device for this test instead, by binding to '[::1]' or '127.0.0.1'.

> (You don't need to add %loopback-static-networking here since it is already

> included in %base-services.)

>

> > +(define (run-rspamd-test)

> > + "Return a test of an OS running Rspamd service."

> > +

> > + (define rspamd-ports

> > + '((22668 . 11334))) ;; web controller

>

> […]

>

> > +

> > + (define vm

> > + (virtual-machine

> > + (operating-system (marionette-operating-system

> > + %rspamd-os

> > + #:imported-modules '((gnu services herd))))

> > + (port-forwardings rspamd-ports)))

>

> […]

>

> > + ;; Check that we can access the web ui

> > +

> > + (test-equal "http-get"

> > + 200

> > + (response-code (http-get "http://localhost:22668/"))) ; HEAD is unsupported

>

> Actually I've realized that these port-forwards are unnecessary

> and it would be better to instead do:

>

> --8<---------------cut here---------------start------------->8---

> ;; Note: remove (web client) and (web response) in the imports above

> ;; i.e. after the #~(begin (use-modules …

>

> (test-equal "http-get"

> 200

> (marionette-eval

> '(begin

> (use-modules (web client)

> (web response))

> (response-code (http-head "http://localhost:11334/")))

> marionette))

> --8<---------------cut here---------------end--------------->8---

> * gnu/services/mail.scm (rspamd-service-type): New variable.

> * gnu/tests/mail.scm (%test-rspamd): New variable.

> * doc/guix.texi: Document it.

>

> Co-authored-by: Saku Laesvuori <saku@laesvuori.fi>

> Change-Id: I7196643f087ffe9fc91aab231b69d5ed8dc9d198