]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/rspamd.nix
losurdo: acme: move to LoadCredentialEncrypted=
[sourcephile-nix.git] / hosts / mermet / rspamd.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) attrNames listToAttrs readFile;
4 inherit (lib) types;
5 inherit (pkgs.lib) unlinesAttrs;
6 inherit (config.security) gnupg;
7 inherit (config.services) postfix rspamd dovecot2;
8 redis = config.services.redis.servers.rspamd;
9 inherit (config.users) users groups;
10 in
11 {
12 imports = [
13 rspamd/autogeree.net.nix
14 rspamd/sourcephile.fr.nix
15 ];
16 options = {
17 services.rspamd.dkimSelectorMap = lib.mkOption {
18 type = types.lines;
19 default = "";
20 description = ''Each line maps a domain to its active DKIM selector'';
21 apply = s: pkgs.writeText "dkim_selectors.map" s;
22 };
23 };
24 config = {
25 users.groups.redis-rspamd.members = [ rspamd.user ];
26 users.groups.keys.members = [ rspamd.user ];
27 services.rspamd = {
28 enable = true;
29 debug = false;
30 postfix.enable = postfix.enable;
31 locals = {
32 "dkim_signing.conf".text = ''
33 selector_map = ${rspamd.dkimSelectorMap};
34 path = "/run/keys/gnupg/rspamd/dkim/$domain/$selector.key/file";
35 allow_username_mismatch = true;
36 '';
37 "arc.conf".text = ''
38 selector_map = ${rspamd.dkimSelectorMap};
39 path = "/run/keys/gnupg/rspamd/dkim/$domain/$selector.key/file";
40 allow_username_mismatch = true;
41 '';
42 "redis.conf".text = ''
43 servers = "${redis.unixSocket}";
44 db = "1";
45 '';
46 "classifier-bayes.conf".text = ''
47 users_enabled = false;
48 backend = "redis";
49 servers = "${redis.unixSocket}";
50 database = "1";
51 autolearn = true;
52 cache {
53 backend = "redis";
54 }
55 new_schema = true;
56 expire = 86400;
57 statfile {
58 BAYES_HAM {
59 spam = false;
60 }
61 BAYES_SPAM {
62 spam = true;
63 }
64 }
65 '';
66 /*
67 "logging.conf" = ''
68 debug_modules = [“dkim_signing”]
69 '';
70 */
71 };
72 overrides = {
73 "milter_headers.conf".text = ''
74 extended_spam_headers = true;
75 '';
76 "actions.conf".text = ''
77 reject = 15; # Reject when reaching this score
78 add_header = 6; # Add header when reaching this score
79 greylist = 4; # Apply greylisting when reaching this score (will emit `soft reject action`)
80 '';
81 };
82 workers = {
83 learner = {
84 # Like controller but without a password, only the bindSockets' permissions
85 type = "controller";
86 includes = [ "$CONFDIR/worker-controller.inc" ];
87 bindSockets = [
88 { socket = "/run/rspamd/learner.sock";
89 mode = "0660";
90 owner = "${rspamd.user}";
91 group = "${dovecot2.group}";
92 }
93 ];
94 extraConfig = ''
95 '';
96 };
97 controller = {
98 includes = [
99 "$CONFDIR/worker-controller.inc"
100 gnupg.secrets."rspamd/controller/hashedPassword".path
101 ];
102 bindSockets = [
103 "127.0.0.1:11334"
104 ];
105 extraConfig = ''
106 #count = 1;
107 #static_dir = "''${WWWDIR}";
108 '';
109 };
110 };
111 };
112 security.gnupg.secrets."rspamd/controller/hashedPassword" = {
113 # Generated with: rspamadm pw
114 user = rspamd.user;
115 pipe = ''${pkgs.gnused}/bin/sed -e 's/.*/password = "\0";/' '';
116 systemdConfig.postStart = "systemctl try-restart --no-block rspamd"; # rspamd does not support reloading so far
117 };
118 systemd.services.rspamd = {
119 wants = [ gnupg.secrets."rspamd/controller/hashedPassword".service ];
120 after = [ gnupg.secrets."rspamd/controller/hashedPassword".service ];
121 };
122
123 fileSystems."/var/lib/redis-rspamd" = {
124 device = "rpool/var/redis-rspamd";
125 fsType = "zfs";
126 };
127 services.sanoid.datasets."rpool/var/redis-rspamd" = {
128 use_template = [ "snap" ];
129 daily = 7;
130 monthly = 0;
131 };
132
133 services.redis.vmOverCommit = true;
134 services.redis.servers.rspamd = {
135 enable = true;
136 databases = 16;
137 syslog = true;
138 save = [ [1800 100] [300 1000] ];
139 #unixSocketPerm = "660";
140 settings = {
141 maxmemory = "64MB";
142 maxmemory-policy = "volatile-ttl";
143 };
144 };
145 /*
146 services.postfix.extraConfig = ''
147 smtpd_milters = unix:/run/rspamd.sock
148 milter_default_action = accept
149 '';
150 # Allow users to run 'rspamc' and 'rspamadm'.
151 environment.systemPackages = [ pkgs.rspamd ];
152 */
153 };
154 }