]> Git — Sourcephile - sourcephile-nix.git/blob - machines/mermet/rspamd.nix
tor: improve type-checking and hardening
[sourcephile-nix.git] / machines / mermet / rspamd.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) attrNames listToAttrs readFile;
4 inherit (lib) types;
5 inherit (pkgs.lib) unlinesAttrs;
6 inherit (config.security) gnupg;
7 inherit (config.services) postfix rspamd dovecot2 redis;
8 inherit (config.users) users;
9 in
10 {
11 imports = map (domain: import (./rspamd + "/${domain}.nix") {inherit domain;}) [
12 "sourcephile.fr"
13 "autogeree.net"
14 ];
15 options = {
16 services.rspamd.dkimSelectorMap = lib.mkOption {
17 type = types.lines;
18 default = "";
19 description = ''Each line maps a domain to its active DKIM selector'';
20 apply = s: pkgs.writeText "dkim_selectors.map" s;
21 };
22 };
23 config = {
24 users.users."${rspamd.user}".extraGroups = [
25 users.redis.group
26 ];
27 services.rspamd = {
28 enable = true;
29 debug = false;
30 postfix.enable = postfix.enable;
31 locals = {
32 "dkim_signing.conf".text = ''
33 selector_map = ${rspamd.dkimSelectorMap};
34 path = "/run/pass-secrets/rspamd/dkim/$domain/$selector.key";
35 allow_username_mismatch = true;
36 '';
37 "arc.conf".text = ''
38 selector_map = ${rspamd.dkimSelectorMap};
39 path = "/run/pass-secrets/rspamd/dkim/$domain/$selector.key";
40 allow_username_mismatch = true;
41 '';
42 "redis.conf".text = ''
43 servers = "${redis.unixSocket}";
44 db = "1";
45 '';
46 "classifier-bayes.conf".text = ''
47 users_enabled = false;
48 backend = "redis";
49 servers = "${redis.unixSocket}";
50 database = "1";
51 autolearn = true;
52 cache {
53 backend = "redis";
54 }
55 new_schema = true;
56 statfile {
57 BAYES_HAM {
58 spam = false;
59 }
60 BAYES_SPAM {
61 spam = true;
62 }
63 }
64 '';
65 /*
66 "logging.conf" = ''
67 debug_modules = [“dkim_signing”]
68 '';
69 */
70 };
71 overrides = {
72 "milter_headers.conf".text = ''
73 extended_spam_headers = true;
74 '';
75 "actions.conf".text = ''
76 reject = 15; # Reject when reaching this score
77 add_header = 6; # Add header when reaching this score
78 greylist = 4; # Apply greylisting when reaching this score (will emit `soft reject action`)
79 '';
80 };
81 workers = {
82 learner = {
83 # Like controller but without a password, only the bindSockets' permissions
84 type = "controller";
85 includes = [ "$CONFDIR/worker-controller.inc" ];
86 bindSockets = [
87 { socket = "/run/rspamd/learner.sock";
88 mode = "0660";
89 owner = "${rspamd.user}";
90 group = "${dovecot2.group}";
91 }
92 ];
93 extraConfig = ''
94 '';
95 };
96 controller = {
97 includes = [
98 "$CONFDIR/worker-controller.inc"
99 gnupg.secrets."rspamd/controller/hashedPassword".path
100 ];
101 bindSockets = [
102 "127.0.0.1:11334"
103 ];
104 extraConfig = ''
105 #count = 1;
106 #static_dir = "''${WWWDIR}";
107 '';
108 };
109 };
110 };
111 security.gnupg.secrets."rspamd/controller/hashedPassword" = {
112 # Generated with: rspamadm pw
113 user = rspamd.user;
114 pipe = ''${pkgs.gnused}/bin/sed -e 's/.*/password = "\0";/' '';
115 postStart = "systemctl try-restart --no-block rspamd"; # rspamd does not support reloading so far
116 };
117 systemd.services.rspamd = {
118 wants = [ gnupg.secrets."rspamd/controller/hashedPassword".service ];
119 after = [ gnupg.secrets."rspamd/controller/hashedPassword".service ];
120 };
121 /*
122 services.postfix.extraConfig = ''
123 smtpd_milters = unix:/run/rspamd.sock
124 milter_default_action = accept
125 '';
126 # Allow users to run 'rspamc' and 'rspamadm'.
127 environment.systemPackages = [ pkgs.rspamd ];
128 */
129 };
130 }