]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/rspamd.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
mermet: add rspamd
[sourcephile-nix.git] / servers / mermet / rspamd.nix
1 { pkgs, lib, config, ... }:
2 let inherit (builtins) attrNames listToAttrs;
3 inherit (builtins.extraBuiltins) pass pass-chomp;
4 inherit (lib) types;
5 inherit (pkgs.lib) unlinesAttrs;
6 inherit (config) networking;
7 inherit (config.services) postfix rspamd;
8 in
9 {
10 systemd.services.rspamd.after =
11 lib.mapAttrsToList
12 (domain: dom: "dkim.${domain}.${dom.selector}-key.service")
13 rspamd.dkim.domains;
14 deployment.keys = lib.mapAttrs'
15 (domain: dom:
16 lib.nameValuePair "dkim.${domain}.${dom.selector}" {
17 text = pass dom.selectors."${dom.selector}".key;
18 user = rspamd.user;
19 group = rspamd.group;
20 destDir = "/var/lib/rspamd/dkim/";
21 permissions = "0400"; # WARNING: not enforced when deployment.storeKeysOnMachine = true
22 })
23 rspamd.dkim.domains;
24 services.rspamd = {
25 enable = true;
26 debug = false;
27 postfix = {
28 enable = postfix.enable;
29 };
30 dkim = {
31 enable = true;
32 domains = {
33 "${networking.domainBase}.fr" = {
34 selector = "20200101";
35 selectors = {
36 "20200101" = {
37 key = "dkim/${networking.domainBase}/20200101/key";
38 dns = ''
39 20200101._domainkey IN TXT ( "v=DKIM1; k=rsa; "
40 "p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA7EKzverbG+5JF+yFjH3MrxLyauiHyLqBbV/8LEMunoKXF8sqhBpQtAQXruLqsyUkxR/4CAyPMyzmcdrU43boMj9yFqLrg/kEz2RIvai9jXBqRoWRW1y7F0LbZmdtOTncuDSP8Zzo02XUzsOC4f/C3tEQHS5rc"
41 "hzfhU5FY1CeO6eBMV79qKBOvGMKahQTrrtU6olAAJxOhn6wRuwSf"
42 "+m3on1OqiuXYYIgNHKdRhJ8gDwIm/3LEpYMD0gTgJiyclCLoLGHGtKZy1Wf9xV9/7V6fHE4JW5SDivwslVTL+KPXOlIpo5NDHpMxPYOcIg2K4Rj/j7jhavo+fG43q1LhwaPkEMQMbplgnjeMY8300odRiklTkMMpH0m35ZNeHQJSRpEtV8y5xUNxVaGzfqX5iStwV/mQ1Kn"
43 "ZSe8ORTNq+eTTFnDk6zdUXjagcf0wO6QsSTeAz/G8CqOBbwmrU+q"
44 "F8WbGAeRnhz51mH6fTTfsQ1nwjAiF4ou+eQGTkTMN23KkCKpuozJnxqx4DCEr6J1bL83fhXw7CgcfgKgTOk/HFJpeiGhqodw18r4DWBA6G57z9utm7Mr/9SoVnMq6iK9iEcbCllLR8Sz4viatLSRzhodbk7hfvXS3jmCFjILAjFmA7aMTemDMBDQhpAGF9F8sjFUbEJIZjK"
45 "rWWtSTdO8DilDqN8CAwEAAQ=="
46 );
47 '';
48 };
49 };
50 };
51 };
52 };
53 locals =
54 let selector_map_file =
55 pkgs.writeText "dkim_selectors.map"
56 (unlinesAttrs
57 (domain: dom: "${domain} ${dom.selector}")
58 rspamd.dkim.domains);
59 in {
60 "dkim_signing.conf".text = ''
61 selector_map = ${selector_map_file};
62 path = "/run/keys/rspamd/dkim.$domain.$selector.key";
63 allow_username_mismatch = true;
64 '';
65 "arc.conf".text = ''
66 selector_map = ${selector_map_file};
67 path = "/run/keys/rspamd/dkim.$domain.$selector.key";
68 allow_username_mismatch = true;
69 '';
70 /*
71 "logging.conf" = ''
72 debug_modules = [“dkim_signing”]
73 '';
74 */
75 };
76 overrides = {
77 "milter_headers.conf".text = ''
78 extended_spam_headers = true;
79 '';
80 "actions.conf".text = ''
81 reject = 15; # Reject when reaching this score
82 add_header = 6; # Add header when reaching this score
83 greylist = 4; # Apply greylisting when reaching this score (will emit `soft reject action`)
84 '';
85 };
86 workers = {
87 normal = {
88 /*
89 includes = [ "$CONFDIR/worker-normal.inc" ];
90 bindSockets = [{
91 socket = "/run/rspamd/rspamd.sock";
92 mode = "0660";
93 owner = "${cfg.user}";
94 group = "${cfg.group}";
95 }];
96 */
97 };
98 controller = {
99 #includes = [ "$CONFDIR/worker-controller.inc" ];
100 bindSockets = [ "*:11334" ]; # FIXME: localhost only
101 extraConfig = ''
102 #count = 1;
103 #static_dir = "''${WWWDIR}";
104 # USE: rspamadm pw
105 password = "${pass-chomp "servers/mermet/rspamd/controller/hashedPassword"}";
106 '';
107 };
108 };
109 };
110 /*
111 services.postfix.extraConfig = ''
112 smtpd_milters = unix:/run/rspamd.sock
113 milter_default_action = accept
114 '';
115 # Allow users to run 'rspamc' and 'rspamadm'.
116 environment.systemPackages = [ pkgs.rspamd ];
117 */
118
119 /*
120 services.redis = {
121 enable = true;
122 };
123 */
124 }
NixOS configurations for Sourcephile's infrastructure