]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/rspamd.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
creds: avoid restarts by not using inputs.self
[sourcephile-nix.git] / hosts / mermet / rspamd.nix
1 { pkgs, lib, config, inputs, hostName, ... }:
2 let
3 inherit (lib) types;
4 inherit (config.services) postfix rspamd dovecot2;
5 redis = config.services.redis.servers.rspamd;
6 inherit (config.users) users groups;
7 in
8 {
9 imports = [
10 rspamd/autogeree.net.nix
11 rspamd/sourcephile.fr.nix
12 ];
13 options = {
14 services.rspamd.dkimSelectorMap = lib.mkOption {
15 type = types.lines;
16 default = "";
17 description = ''Each line maps a domain to its active DKIM selector'';
18 apply = s: pkgs.writeText "dkim_selectors.map" s;
19 };
20 };
21 config = {
22 users.groups.redis-rspamd.members = [ rspamd.user ];
23 services.rspamd = {
24 enable = true;
25 debug = false;
26 postfix.enable = postfix.enable;
27 locals = {
28 "dkim_signing.conf".text = ''
29 selector_map = ${rspamd.dkimSelectorMap};
30 path = "/run/credentials/rspamd.service/$domain.$selector.key";
31 allow_username_mismatch = true;
32 '';
33 "arc.conf".text = ''
34 selector_map = ${rspamd.dkimSelectorMap};
35 path = "/run/credentials/rspamd.service/$domain.$selector.key";
36 allow_username_mismatch = true;
37 '';
38 "redis.conf".text = ''
39 servers = "${redis.unixSocket}";
40 db = "1";
41 '';
42 "classifier-bayes.conf".text = ''
43 users_enabled = false;
44 backend = "redis";
45 servers = "${redis.unixSocket}";
46 database = "1";
47 autolearn = true;
48 cache {
49 backend = "redis";
50 }
51 new_schema = true;
52 expire = 86400;
53 statfile {
54 BAYES_HAM {
55 spam = false;
56 }
57 BAYES_SPAM {
58 spam = true;
59 }
60 }
61 '';
62 /*
63 "logging.conf" = ''
64 debug_modules = [“dkim_signing”]
65 '';
66 */
67 };
68 overrides = {
69 "milter_headers.conf".text = ''
70 extended_spam_headers = true;
71 '';
72 "actions.conf".text = ''
73 reject = 15; # Reject when reaching this score
74 add_header = 6; # Add header when reaching this score
75 greylist = 4; # Apply greylisting when reaching this score (will emit `soft reject action`)
76 '';
77 };
78 workers = {
79 learner = {
80 # Like controller but without a password, only the bindSockets' permissions
81 type = "controller";
82 includes = [ "$CONFDIR/worker-controller.inc" ];
83 bindSockets = [
84 {
85 socket = "/run/rspamd/learner.sock";
86 mode = "0660";
87 owner = "${rspamd.user}";
88 group = "${dovecot2.group}";
89 }
90 ];
91 extraConfig = ''
92 '';
93 };
94 controller = {
95 includes = [
96 "$CONFDIR/worker-controller.inc"
97 "/run/credentials/rspamd.service/controller.inc"
98 ];
99 bindSockets = [
100 "127.0.0.1:11334"
101 ];
102 extraConfig = ''
103 #count = 1;
104 #static_dir = "''${WWWDIR}";
105 '';
106 };
107 };
108 };
109 systemd.services.rspamd = {
110 serviceConfig = {
111 LoadCredentialEncrypted = [
112 "controller.inc:${rspamd/controller.inc.cred}"
113 ];
114 };
115 };
116
117 fileSystems."/var/lib/redis-rspamd" = {
118 device = "rpool/var/redis-rspamd";
119 fsType = "zfs";
120 };
121 services.sanoid.datasets."rpool/var/redis-rspamd" = {
122 use_template = [ "snap" ];
123 daily = 7;
124 monthly = 0;
125 };
126
127 services.redis.vmOverCommit = true;
128 services.redis.servers.rspamd = {
129 enable = true;
130 databases = 16;
131 syslog = true;
132 save = [ [ 1800 100 ] [ 300 1000 ] ];
133 #unixSocketPerm = "660";
134 settings = {
135 maxmemory = "64MB";
136 maxmemory-policy = "volatile-ttl";
137 };
138 };
139 /*
140 services.postfix.extraConfig = ''
141 smtpd_milters = unix:/run/rspamd.sock
142 milter_default_action = accept
143 '';
144 # Allow users to run 'rspamc' and 'rspamadm'.
145 environment.systemPackages = [ pkgs.rspamd ];
146 */
147 };
148 }
NixOS configurations for Sourcephile's infrastructure