1 { pkgs, lib, config, inputs, hostName, ... }:
4 inherit (config.services) postfix rspamd dovecot2;
5 redis = config.services.redis.servers.rspamd;
6 inherit (config.users) users groups;
10 rspamd/autogeree.net.nix
11 rspamd/sourcephile.fr.nix
14 services.rspamd.dkimSelectorMap = lib.mkOption {
17 description = ''Each line maps a domain to its active DKIM selector'';
18 apply = s: pkgs.writeText "dkim_selectors.map" s;
22 users.groups.redis-rspamd.members = [ rspamd.user ];
26 postfix.enable = postfix.enable;
28 "dkim_signing.conf".text = ''
29 selector_map = ${rspamd.dkimSelectorMap};
30 path = "/run/credentials/rspamd.service/$domain.$selector.key";
31 allow_username_mismatch = true;
34 selector_map = ${rspamd.dkimSelectorMap};
35 path = "/run/credentials/rspamd.service/$domain.$selector.key";
36 allow_username_mismatch = true;
38 "redis.conf".text = ''
39 servers = "${redis.unixSocket}";
42 "classifier-bayes.conf".text = ''
43 users_enabled = false;
45 servers = "${redis.unixSocket}";
64 debug_modules = [“dkim_signing”]
69 "milter_headers.conf".text = ''
70 extended_spam_headers = true;
72 "actions.conf".text = ''
73 reject = 15; # Reject when reaching this score
74 add_header = 6; # Add header when reaching this score
75 greylist = 4; # Apply greylisting when reaching this score (will emit `soft reject action`)
80 # Like controller but without a password, only the bindSockets' permissions
82 includes = [ "$CONFDIR/worker-controller.inc" ];
85 socket = "/run/rspamd/learner.sock";
87 owner = "${rspamd.user}";
88 group = "${dovecot2.group}";
96 "$CONFDIR/worker-controller.inc"
97 "/run/credentials/rspamd.service/controller.inc"
104 #static_dir = "''${WWWDIR}";
109 systemd.services.rspamd = {
111 LoadCredentialEncrypted = [
112 "controller.inc:${inputs.self}/hosts/${hostName}/rspamd/controller.inc.cred"
117 fileSystems."/var/lib/redis-rspamd" = {
118 device = "rpool/var/redis-rspamd";
121 services.sanoid.datasets."rpool/var/redis-rspamd" = {
122 use_template = [ "snap" ];
127 services.redis.vmOverCommit = true;
128 services.redis.servers.rspamd = {
132 save = [ [ 1800 100 ] [ 300 1000 ] ];
133 #unixSocketPerm = "660";
136 maxmemory-policy = "volatile-ttl";
140 services.postfix.extraConfig = ''
141 smtpd_milters = unix:/run/rspamd.sock
142 milter_default_action = accept
144 # Allow users to run 'rspamc' and 'rspamadm'.
145 environment.systemPackages = [ pkgs.rspamd ];