]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/rspamd.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
creds: finish to migrate to systemd-creds.nix
[sourcephile-nix.git] / hosts / mermet / rspamd.nix
1 { pkgs, lib, config, inputs, hostName, ... }:
2 let
3 inherit (builtins) attrNames listToAttrs readFile;
4 inherit (lib) types;
5 inherit (pkgs.lib) unlinesAttrs;
6 inherit (config.services) postfix rspamd dovecot2;
7 redis = config.services.redis.servers.rspamd;
8 inherit (config.users) users groups;
9 in
10 {
11 imports = [
12 rspamd/autogeree.net.nix
13 rspamd/sourcephile.fr.nix
14 ];
15 options = {
16 services.rspamd.dkimSelectorMap = lib.mkOption {
17 type = types.lines;
18 default = "";
19 description = ''Each line maps a domain to its active DKIM selector'';
20 apply = s: pkgs.writeText "dkim_selectors.map" s;
21 };
22 };
23 config = {
24 users.groups.redis-rspamd.members = [ rspamd.user ];
25 services.rspamd = {
26 enable = true;
27 debug = false;
28 postfix.enable = postfix.enable;
29 locals = {
30 "dkim_signing.conf".text = ''
31 selector_map = ${rspamd.dkimSelectorMap};
32 path = "/run/credentials/rspamd.service/$domain.$selector.key";
33 allow_username_mismatch = true;
34 '';
35 "arc.conf".text = ''
36 selector_map = ${rspamd.dkimSelectorMap};
37 path = "/run/credentials/rspamd.service/$domain.$selector.key";
38 allow_username_mismatch = true;
39 '';
40 "redis.conf".text = ''
41 servers = "${redis.unixSocket}";
42 db = "1";
43 '';
44 "classifier-bayes.conf".text = ''
45 users_enabled = false;
46 backend = "redis";
47 servers = "${redis.unixSocket}";
48 database = "1";
49 autolearn = true;
50 cache {
51 backend = "redis";
52 }
53 new_schema = true;
54 expire = 86400;
55 statfile {
56 BAYES_HAM {
57 spam = false;
58 }
59 BAYES_SPAM {
60 spam = true;
61 }
62 }
63 '';
64 /*
65 "logging.conf" = ''
66 debug_modules = [“dkim_signing”]
67 '';
68 */
69 };
70 overrides = {
71 "milter_headers.conf".text = ''
72 extended_spam_headers = true;
73 '';
74 "actions.conf".text = ''
75 reject = 15; # Reject when reaching this score
76 add_header = 6; # Add header when reaching this score
77 greylist = 4; # Apply greylisting when reaching this score (will emit `soft reject action`)
78 '';
79 };
80 workers = {
81 learner = {
82 # Like controller but without a password, only the bindSockets' permissions
83 type = "controller";
84 includes = [ "$CONFDIR/worker-controller.inc" ];
85 bindSockets = [
86 { socket = "/run/rspamd/learner.sock";
87 mode = "0660";
88 owner = "${rspamd.user}";
89 group = "${dovecot2.group}";
90 }
91 ];
92 extraConfig = ''
93 '';
94 };
95 controller = {
96 includes = [
97 "$CONFDIR/worker-controller.inc"
98 "/run/credentials/rspamd.service/controller.inc"
99 ];
100 bindSockets = [
101 "127.0.0.1:11334"
102 ];
103 extraConfig = ''
104 #count = 1;
105 #static_dir = "''${WWWDIR}";
106 '';
107 };
108 };
109 };
110 systemd.services.rspamd = {
111 serviceConfig = {
112 LoadCredentialEncrypted = [
113 "controller.inc:${inputs.self}/hosts/${hostName}/rspamd/controller.inc.cred"
114 ];
115 };
116 };
117
118 fileSystems."/var/lib/redis-rspamd" = {
119 device = "rpool/var/redis-rspamd";
120 fsType = "zfs";
121 };
122 services.sanoid.datasets."rpool/var/redis-rspamd" = {
123 use_template = [ "snap" ];
124 daily = 7;
125 monthly = 0;
126 };
127
128 services.redis.vmOverCommit = true;
129 services.redis.servers.rspamd = {
130 enable = true;
131 databases = 16;
132 syslog = true;
133 save = [ [1800 100] [300 1000] ];
134 #unixSocketPerm = "660";
135 settings = {
136 maxmemory = "64MB";
137 maxmemory-policy = "volatile-ttl";
138 };
139 };
140 /*
141 services.postfix.extraConfig = ''
142 smtpd_milters = unix:/run/rspamd.sock
143 milter_default_action = accept
144 '';
145 # Allow users to run 'rspamc' and 'rspamadm'.
146 environment.systemPackages = [ pkgs.rspamd ];
147 */
148 };
149 }
NixOS configurations for Sourcephile's infrastructure