1 { pkgs, lib, config, ... }:
3 inherit (builtins) attrNames listToAttrs readFile;
5 inherit (pkgs.lib) unlinesAttrs;
6 inherit (config.security) gnupg;
7 inherit (config.services) postfix rspamd dovecot2 redis;
8 inherit (config.users) users groups;
12 rspamd/autogeree.net.nix
13 rspamd/sourcephile.fr.nix
16 services.rspamd.dkimSelectorMap = lib.mkOption {
19 description = ''Each line maps a domain to its active DKIM selector'';
20 apply = s: pkgs.writeText "dkim_selectors.map" s;
24 users.users."${rspamd.user}".extraGroups = [
31 postfix.enable = postfix.enable;
33 "dkim_signing.conf".text = ''
34 selector_map = ${rspamd.dkimSelectorMap};
35 path = "/run/keys/gnupg/rspamd/dkim/$domain/$selector.key/file";
36 allow_username_mismatch = true;
39 selector_map = ${rspamd.dkimSelectorMap};
40 path = "/run/keys/gnupg/rspamd/dkim/$domain/$selector.key/file";
41 allow_username_mismatch = true;
43 "redis.conf".text = ''
44 servers = "${redis.unixSocket}";
47 "classifier-bayes.conf".text = ''
48 users_enabled = false;
50 servers = "${redis.unixSocket}";
68 debug_modules = [“dkim_signing”]
73 "milter_headers.conf".text = ''
74 extended_spam_headers = true;
76 "actions.conf".text = ''
77 reject = 15; # Reject when reaching this score
78 add_header = 6; # Add header when reaching this score
79 greylist = 4; # Apply greylisting when reaching this score (will emit `soft reject action`)
84 # Like controller but without a password, only the bindSockets' permissions
86 includes = [ "$CONFDIR/worker-controller.inc" ];
88 { socket = "/run/rspamd/learner.sock";
90 owner = "${rspamd.user}";
91 group = "${dovecot2.group}";
99 "$CONFDIR/worker-controller.inc"
100 gnupg.secrets."rspamd/controller/hashedPassword".path
107 #static_dir = "''${WWWDIR}";
112 security.gnupg.secrets."rspamd/controller/hashedPassword" = {
113 # Generated with: rspamadm pw
115 pipe = ''${pkgs.gnused}/bin/sed -e 's/.*/password = "\0";/' '';
116 systemdConfig.postStart = "systemctl try-restart --no-block rspamd"; # rspamd does not support reloading so far
118 systemd.services.rspamd = {
119 wants = [ gnupg.secrets."rspamd/controller/hashedPassword".service ];
120 after = [ gnupg.secrets."rspamd/controller/hashedPassword".service ];
123 services.postfix.extraConfig = ''
124 smtpd_milters = unix:/run/rspamd.sock
125 milter_default_action = accept
127 # Allow users to run 'rspamc' and 'rspamadm'.
128 environment.systemPackages = [ pkgs.rspamd ];