]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/rspamd.nix
dovecot: polish conf and add mailStorageDirectory support
[sourcephile-nix.git] / servers / mermet / rspamd.nix
1 { pkgs, lib, config, ... }:
2 let inherit (builtins) attrNames listToAttrs;
3 inherit (builtins.extraBuiltins) pass pass-chomp;
4 inherit (lib) types;
5 inherit (pkgs.lib) unlinesAttrs;
6 inherit (config) networking;
7 inherit (config.services) postfix rspamd dovecot2;
8 in
9 {
10 systemd.services.rspamd.after =
11 lib.mapAttrsToList
12 (domain: dom: "dkim.${domain}.${dom.selector}.key-key.service")
13 rspamd.dkim.domains;
14 deployment.keys = lib.mapAttrs'
15 (domain: dom:
16 lib.nameValuePair "dkim.${domain}.${dom.selector}.key" {
17 text = pass dom.selectors."${dom.selector}".key;
18 user = rspamd.user;
19 group = "root";
20 destDir = "/run/keys/";
21 permissions = "0400"; # WARNING: not enforced when deployment.storeKeysOnMachine = true
22 })
23 rspamd.dkim.domains;
24 users.users."${rspamd.user}".extraGroups = [ "keys" ];
25 services.rspamd = {
26 enable = true;
27 debug = false;
28 postfix = {
29 enable = postfix.enable;
30 };
31 dkim = {
32 enable = true;
33 domains = {
34 "${networking.domainBase}.fr" = {
35 selector = "20200101";
36 selectors = {
37 "20200101" = {
38 key = "dkim/${networking.domainBase}.20200101.key";
39 dns = ''
40 20200101._domainkey IN TXT ( "v=DKIM1; k=rsa; "
41 "p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA7EKzverbG+5JF+yFjH3MrxLyauiHyLqBbV/8LEMunoKXF8sqhBpQtAQXruLqsyUkxR/4CAyPMyzmcdrU43boMj9yFqLrg/kEz2RIvai9jXBqRoWRW1y7F0LbZmdtOTncuDSP8Zzo02XUzsOC4f/C3tEQHS5rc"
42 "hzfhU5FY1CeO6eBMV79qKBOvGMKahQTrrtU6olAAJxOhn6wRuwSf"
43 "+m3on1OqiuXYYIgNHKdRhJ8gDwIm/3LEpYMD0gTgJiyclCLoLGHGtKZy1Wf9xV9/7V6fHE4JW5SDivwslVTL+KPXOlIpo5NDHpMxPYOcIg2K4Rj/j7jhavo+fG43q1LhwaPkEMQMbplgnjeMY8300odRiklTkMMpH0m35ZNeHQJSRpEtV8y5xUNxVaGzfqX5iStwV/mQ1Kn"
44 "ZSe8ORTNq+eTTFnDk6zdUXjagcf0wO6QsSTeAz/G8CqOBbwmrU+q"
45 "F8WbGAeRnhz51mH6fTTfsQ1nwjAiF4ou+eQGTkTMN23KkCKpuozJnxqx4DCEr6J1bL83fhXw7CgcfgKgTOk/HFJpeiGhqodw18r4DWBA6G57z9utm7Mr/9SoVnMq6iK9iEcbCllLR8Sz4viatLSRzhodbk7hfvXS3jmCFjILAjFmA7aMTemDMBDQhpAGF9F8sjFUbEJIZjK"
46 "rWWtSTdO8DilDqN8CAwEAAQ=="
47 );
48 '';
49 };
50 };
51 };
52 };
53 };
54 locals =
55 let selector_map_file =
56 pkgs.writeText "dkim_selectors.map"
57 (unlinesAttrs
58 (domain: dom: "${domain} ${dom.selector}")
59 rspamd.dkim.domains);
60 in {
61 "dkim_signing.conf".text = ''
62 selector_map = ${selector_map_file};
63 path = "/run/keys/dkim.$domain.$selector.key";
64 allow_username_mismatch = true;
65 '';
66 "arc.conf".text = ''
67 selector_map = ${selector_map_file};
68 path = "/run/keys/dkim.$domain.$selector.key";
69 allow_username_mismatch = true;
70 '';
71 /*
72 "logging.conf" = ''
73 debug_modules = [“dkim_signing”]
74 '';
75 */
76 };
77 overrides = {
78 "milter_headers.conf".text = ''
79 extended_spam_headers = true;
80 '';
81 "actions.conf".text = ''
82 reject = 15; # Reject when reaching this score
83 add_header = 6; # Add header when reaching this score
84 greylist = 4; # Apply greylisting when reaching this score (will emit `soft reject action`)
85 '';
86 };
87 workers = {
88 learner = {
89 # Like controller but without a password, only the bindSockets' permissions
90 type = "controller";
91 includes = [ "$CONFDIR/worker-controller.inc" ];
92 bindSockets = [
93 { socket = "/run/rspamd/learner.sock";
94 mode = "0660";
95 owner = "${rspamd.user}";
96 group = "${dovecot2.group}";
97 }
98 ];
99 extraConfig = ''
100 '';
101 };
102 controller = {
103 includes = [ "$CONFDIR/worker-controller.inc" ];
104 bindSockets = [
105 "127.0.0.1:11334"
106 ];
107 extraConfig = ''
108 #count = 1;
109 #static_dir = "''${WWWDIR}";
110 # USE: rspamadm pw
111 password = "${pass-chomp "servers/mermet/rspamd/controller/hashedPassword"}";
112 '';
113 };
114 };
115 };
116 /*
117 services.postfix.extraConfig = ''
118 smtpd_milters = unix:/run/rspamd.sock
119 milter_default_action = accept
120 '';
121 # Allow users to run 'rspamc' and 'rspamadm'.
122 environment.systemPackages = [ pkgs.rspamd ];
123 */
124
125 /*
126 services.redis = {
127 enable = true;
128 };
129 */
130 }