]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/rspamd.nix
stig: update to 0.11.0a
[sourcephile-nix.git] / servers / mermet / rspamd.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) attrNames listToAttrs readFile;
4 inherit (builtins.extraBuiltins) pass pass-chomp;
5 inherit (lib) types;
6 inherit (pkgs.lib) unlinesAttrs;
7 inherit (config.services) postfix rspamd dovecot2 redis;
8 inherit (config.users) users;
9 in
10 {
11 imports = map (domain: import (./rspamd + "/${domain}.nix") {inherit domain;}) [
12 "sourcephile.fr"
13 "autogeree.net"
14 ];
15 options = {
16 services.rspamd.dkimSelectorMap = lib.mkOption {
17 type = types.lines;
18 default = "";
19 description = ''Each line maps a domain to its active DKIM selector'';
20 apply = s: pkgs.writeText "dkim_selectors.map" s;
21 };
22 };
23 config = {
24 users.users."${rspamd.user}".extraGroups = [
25 "keys"
26 users.redis.group
27 ];
28 services.rspamd = {
29 enable = true;
30 debug = false;
31 postfix.enable = postfix.enable;
32 locals = {
33 "dkim_signing.conf".text = ''
34 selector_map = ${rspamd.dkimSelectorMap};
35 path = "/run/keys/dkim.$domain.$selector.key";
36 allow_username_mismatch = true;
37 '';
38 "arc.conf".text = ''
39 selector_map = ${rspamd.dkimSelectorMap};
40 path = "/run/keys/dkim.$domain.$selector.key";
41 allow_username_mismatch = true;
42 '';
43 "redis.conf".text = ''
44 servers = "${redis.unixSocket}";
45 db = "1";
46 '';
47 "classifier-bayes.conf".text = ''
48 users_enabled = false;
49 backend = "redis";
50 servers = "${redis.unixSocket}";
51 database = "1";
52 autolearn = true;
53 cache {
54 backend = "redis";
55 }
56 new_schema = true;
57 statfile {
58 BAYES_HAM {
59 spam = false;
60 }
61 BAYES_SPAM {
62 spam = true;
63 }
64 }
65 '';
66 /*
67 "logging.conf" = ''
68 debug_modules = [“dkim_signing”]
69 '';
70 */
71 };
72 overrides = {
73 "milter_headers.conf".text = ''
74 extended_spam_headers = true;
75 '';
76 "actions.conf".text = ''
77 reject = 15; # Reject when reaching this score
78 add_header = 6; # Add header when reaching this score
79 greylist = 4; # Apply greylisting when reaching this score (will emit `soft reject action`)
80 '';
81 };
82 workers = {
83 learner = {
84 # Like controller but without a password, only the bindSockets' permissions
85 type = "controller";
86 includes = [ "$CONFDIR/worker-controller.inc" ];
87 bindSockets = [
88 { socket = "/run/rspamd/learner.sock";
89 mode = "0660";
90 owner = "${rspamd.user}";
91 group = "${dovecot2.group}";
92 }
93 ];
94 extraConfig = ''
95 '';
96 };
97 controller = {
98 includes = [ "$CONFDIR/worker-controller.inc" ];
99 bindSockets = [
100 "127.0.0.1:11334"
101 ];
102 extraConfig = ''
103 #count = 1;
104 #static_dir = "''${WWWDIR}";
105 # USE: rspamadm pw
106 password = "${pass-chomp "servers/mermet/rspamd/controller/hashedPassword"}";
107 '';
108 };
109 };
110 };
111 /*
112 services.postfix.extraConfig = ''
113 smtpd_milters = unix:/run/rspamd.sock
114 milter_default_action = accept
115 '';
116 # Allow users to run 'rspamc' and 'rspamadm'.
117 environment.systemPackages = [ pkgs.rspamd ];
118 */
119 };
120 }