]> Git — Sourcephile - sourcephile-nix.git/blob - install/logical/friot/rspamd.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
rspamd: brittle install
[sourcephile-nix.git] / install / logical / friot / rspamd.nix
1 {pkgs, lib, config, ...}:
2 let inherit (builtins) attrNames;
3 inherit (builtins.extraBuiltins) pass;
4 inherit (lib) types;
5 inherit (pkgs.lib) unlinesAttrs;
6 inherit (config) networking;
7 inherit (config.services) rspamd-upstream dkim;
8 /*
9 localConfig = pkgs.writeText "local.conf" ''
10 classifier "bayes" {
11 autolearn = true;
12 }
13 dkim_signing {
14 path = "/var/lib/rspamd/dkim/$domain.$selector.key";
15 selector = "default";
16 allow_username_mismatch = true;
17 }
18 arc {
19 path = "/var/lib/rspamd/dkim/$domain.$selector.key";
20 selector = "default";
21 allow_username_mismatch = true;
22 }
23 milter_headers {
24 use = ["authentication-results", "x-spam-status"];
25 authenticated_headers = ["authentication-results"];
26 }
27 replies {
28 action = "no action";
29 }
30 url_reputation {
31 enabled = true;
32 }
33 phishing {
34 openphish_enabled = true;
35 phishtank_enabled = true;
36 }
37 '';
38 */
39 in
40 {
41 options.services.dkim = lib.mkOption {
42 default = {};
43 type = types.submodule {
44 options = {
45 domains = lib.mkOption {
46 default = {};
47 type = types.attrsOf (types.submodule {
48 options = {
49 selector = lib.mkOption {
50 type = types.str;
51 description = ''Current selector.'';
52 };
53 selectors = lib.mkOption {
54 default = {};
55 description = ''Available selectors.'';
56 type = types.attrsOf (types.submodule {
57 options = {
58 key = lib.mkOption {
59 type = types.str;
60 description = ''Private key.'';
61 };
62 dns = lib.mkOption {
63 type = types.str;
64 description = ''DNS record.'';
65 };
66 };
67 });
68 };
69 };
70 });
71 };
72 };
73 };
74 };
75 config = {
76 deployment.keys = builtins.listToAttrs (map
77 (domain:
78 let selector = dkim.domains."${domain}".selector; in
79 { name = "dkim.${domain}.${selector}.key";
80 value = {
81 text = pass "${networking.domainBase}/dkim/${selector}/key" + "\n";
82 #destDir = "${redmine.stateDir}/.ssh";
83 #path = "${redmine.stateDir}/.ssh/id_ed25519";
84 user = rspamd-upstream.user;
85 group = rspamd-upstream.group;
86 permissions = "0400"; # XXX: not enforced when deployment.storeKeysOnMachine = true
87 };
88 })
89 ([ networking.domain ] ++ networking.domainAliases));
90
91 systemd.services.rspamd-upstream = {
92 path = [
93 pkgs.coreutils
94 ];
95 after = [ "keys.target" ];
96 preStart = unlinesAttrs (domain: dom: ''
97 install -D -o ${rspamd-upstream.user} -g ${rspamd-upstream.group} -m 0400 \
98 /run/keys/dkim.${domain}.${dom.selector}.key \
99 /var/lib/rspamd/dkim/${domain}.${dom.selector}.key
100 '') dkim.domains;
101 };
102
103 services.rspamd-upstream = {
104 enable = true;
105 debug = false;
106 postfix = {
107 enable = true;
108 };
109 locals =
110 let selector_map_file =
111 pkgs.writeText "dkim_selectors.map"
112 (pkgs.lib.unlinesAttrs
113 (domain: dom: "${domain} ${dom.selector}")
114 dkim.domains); in {
115 "dkim_signing.conf".text = ''
116 path = "/var/lib/rspamd/dkim/$domain.$selector.key";
117 selector_map = ${selector_map_file};
118 allow_username_mismatch = true;
119 '';
120 "arc.conf".text = ''
121 path = "/var/lib/rspamd/dkim/$domain.$selector.key";
122 selector_map = ${selector_map_file};
123 allow_username_mismatch = true;
124 '';
125 /*
126 "logging.conf" = ''
127 debug_modules = [“dkim_signing”]
128 '';
129 */
130 };
131 overrides = {
132 "milter_headers.conf".text = ''
133 extended_spam_headers = true;
134 '';
135 "actions.conf".text = ''
136 actions {
137 reject = 15; # Reject when reaching this score
138 add_header = 6; # Add header when reaching this score
139 greylist = 4; # Apply greylisting when reaching this score (will emit `soft reject action`)
140 }
141 '';
142 };
143 workers = {
144 normal = {
145 /*
146 includes = [ "$CONFDIR/worker-normal.inc" ];
147 bindSockets = [{
148 socket = "/run/rspamd/rspamd.sock";
149 mode = "0660";
150 owner = "${cfg.user}";
151 group = "${cfg.group}";
152 }];
153 */
154 };
155 controller = {
156 #includes = [ "$CONFDIR/worker-controller.inc" ];
157 bindSockets = [ "*:11334" ]; # FIXME: localhost only
158 extraConfig = ''
159 #count = 1;
160 #static_dir = "''${WWWDIR}";
161 # USE: rspamadm pw
162 password = "$2$fy8padyutwigfchjbye88h7i4exwx9gw$m3ohkqu9fartjkjz5oeok5xwxamwime63998awryxdt8dt431eoy";
163 '';
164 };
165 };
166 };
167 /*
168 services.rspamd-upstream = {
169 enable = true;
170 # FIXME: the order of sockets is messed up
171 socketActivation = false;
172 extraConfig = ''
173 .include(priority=1,duplicate=merge) "${localConfig}"
174 '';
175
176 workers.controller = {
177 extraConfig = ''
178 count = 1;
179 static_dir = "''${WWWDIR}";
180 password = "$2$cifyu958qabanmtjyofmf5981posxie7$dz3taiiumir9ew5ordg8n1ia3eb73y1t55kzc9qsjdq1n8esmqqb";
181 enable_password = "$2$cifyu958qabanmtjyofmf5981posxie7$dz3taiiumir9ew5ordg8n1ia3eb73y1t55kzc9qsjdq1n8esmqqb";
182 '';
183 };
184
185 workers.rspamd_proxy = {
186 type = "proxy";
187 extraConfig = ''
188 milter = yes; # Enable milter mode
189 timeout = 120s; # Needed for Milter usually
190 upstream "local" {
191 default = yes;
192 self_scan = yes;
193 }
194 count = 1; # Do not spawn too many processes of this type
195 '';
196 bindSockets = [{
197 socket = "/run/rspamd.sock";
198 mode = "0666";
199 owner = "rspamd";
200 group = "rspamd";
201 }];
202 };
203 };
204 */
205
206 /*
207 services.postfix.extraConfig = ''
208 smtpd_milters = unix:/run/rspamd.sock
209 milter_default_action = accept
210 '';
211 # Allow users to run 'rspamc' and 'rspamadm'.
212 environment.systemPackages = [ pkgs.rspamd ];
213 */
214
215 /*
216 services.redis = {
217 enable = true;
218 };
219 */
220 };
221 }
NixOS configurations for Sourcephile's infrastructure