rspamd: fix DKIM for hostName and polish conf

[sourcephile-nix.git] / servers / mermet / rspamd.nix

{ pkgs, lib, config, ... }:
let inherit (builtins) attrNames listToAttrs readFile;
    inherit (builtins.extraBuiltins) pass pass-chomp;
    inherit (lib) types;
    inherit (pkgs.lib) unlinesAttrs;
    inherit (config) networking;
    inherit (config.services) postfix rspamd dovecot2;
in
{
  systemd.services.rspamd.after =
    lib.mapAttrsToList
    (domain: dom: "dkim.${domain}.${dom.selector}.key-key.service")
    rspamd.dkim.domains;
  deployment.keys = lib.mapAttrs'
    (domain: dom:
      lib.nameValuePair "dkim.${domain}.${dom.selector}.key" {
        text  = pass dom.selectors."${dom.selector}".key;
        user  = rspamd.user;
        group = "root";
        destDir = "/run/keys/";
        permissions = "0400"; # WARNING: not enforced when deployment.storeKeysOnMachine = true
      })
    rspamd.dkim.domains;
  users.users."${rspamd.user}".extraGroups = [ "keys" ];
  services.rspamd = {
    enable = true;
    debug = false;
    postfix = {
      enable = postfix.enable;
    };
    dkim = {
      enable = true;
      domains = {
        "${networking.hostName}" = {
          selector = "20200101";
          selectors = {
            "20200101" = {
              key = "dkim/${networking.domain}/20200101.key";
              dns = readFile (rspamd/dkim + "/${networking.domain}/20200101.dns");
            };
          };
        };
        "${networking.domain}" = {
          selector = "20200101";
          selectors = {
            "20200101" = {
              key = "dkim/${networking.domain}/20200101.key";
              dns = readFile (rspamd/dkim + "/${networking.domain}/20200101.dns");
            };
          };
        };
      };
    };
    locals =
      let selector_map_file =
        pkgs.writeText "dkim_selectors.map"
          (unlinesAttrs
            (domain: dom: "${domain} ${dom.selector}")
            rspamd.dkim.domains);
      in {
      "dkim_signing.conf".text = ''
        selector_map = ${selector_map_file};
        path = "/run/keys/dkim.$domain.$selector.key";
        allow_username_mismatch = true;
      '';
      "arc.conf".text = ''
        selector_map = ${selector_map_file};
        path = "/run/keys/dkim.$domain.$selector.key";
        allow_username_mismatch = true;
      '';
      /*
      "logging.conf" = ''
        debug_modules = [“dkim_signing”]
      '';
      */
    };
    overrides = {
      "milter_headers.conf".text = ''
        extended_spam_headers = true;
      '';
      "actions.conf".text = ''
        reject     = 15; # Reject when reaching this score
        add_header =  6; # Add header when reaching this score
        greylist   =  4; # Apply greylisting when reaching this score (will emit `soft reject action`)
      '';
    };
    workers = {
      learner = {
        # Like controller but without a password, only the bindSockets' permissions
        type = "controller";
        includes = [ "$CONFDIR/worker-controller.inc" ];
        bindSockets = [
          { socket = "/run/rspamd/learner.sock";
            mode = "0660";
            owner = "${rspamd.user}";
            group = "${dovecot2.group}";
          }
        ];
        extraConfig = ''
        '';
      };
      controller = {
        includes = [ "$CONFDIR/worker-controller.inc" ];
        bindSockets = [
          "127.0.0.1:11334"
        ];
        extraConfig = ''
          #count = 1;
          #static_dir = "''${WWWDIR}";
          # USE: rspamadm pw
          password = "${pass-chomp "servers/mermet/rspamd/controller/hashedPassword"}";
        '';
      };
    };
  };
  /*
  services.postfix.extraConfig = ''
    smtpd_milters = unix:/run/rspamd.sock
    milter_default_action = accept
  '';
  # Allow users to run 'rspamc' and 'rspamadm'.
  environment.systemPackages = [ pkgs.rspamd ];
  */

  /*
  services.redis = {
    enable = true;
  };
  */
}