]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/rspamd.nix
fix .envrc
[sourcephile-nix.git] / servers / mermet / rspamd.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) attrNames listToAttrs readFile;
4 inherit (builtins.extraBuiltins) pass pass-chomp;
5 inherit (lib) types;
6 inherit (pkgs.lib) unlinesAttrs;
7 inherit (config.services) postfix rspamd dovecot2;
8 in
9 {
10 imports = [
11 rspamd/sourcephile.fr.nix
12 rspamd/autogeree.net.nix
13 ];
14 options = {
15 services.rspamd.dkimSelectorMap = lib.mkOption {
16 type = types.lines;
17 default = "";
18 description = ''Each line maps a domain to its active DKIM selector'';
19 apply = s: pkgs.writeText "dkim_selectors.map" s;
20 };
21 };
22 config = {
23 users.users."${rspamd.user}".extraGroups = [ "keys" ];
24 services.rspamd = {
25 enable = true;
26 debug = false;
27 postfix.enable = postfix.enable;
28 locals = {
29 "dkim_signing.conf".text = ''
30 selector_map = ${rspamd.dkimSelectorMap};
31 path = "/run/keys/dkim.$domain.$selector.key";
32 allow_username_mismatch = true;
33 '';
34 "arc.conf".text = ''
35 selector_map = ${rspamd.dkimSelectorMap};
36 path = "/run/keys/dkim.$domain.$selector.key";
37 allow_username_mismatch = true;
38 '';
39 /*
40 "logging.conf" = ''
41 debug_modules = [“dkim_signing”]
42 '';
43 */
44 };
45 overrides = {
46 "milter_headers.conf".text = ''
47 extended_spam_headers = true;
48 '';
49 "actions.conf".text = ''
50 reject = 15; # Reject when reaching this score
51 add_header = 6; # Add header when reaching this score
52 greylist = 4; # Apply greylisting when reaching this score (will emit `soft reject action`)
53 '';
54 };
55 workers = {
56 learner = {
57 # Like controller but without a password, only the bindSockets' permissions
58 type = "controller";
59 includes = [ "$CONFDIR/worker-controller.inc" ];
60 bindSockets = [
61 { socket = "/run/rspamd/learner.sock";
62 mode = "0660";
63 owner = "${rspamd.user}";
64 group = "${dovecot2.group}";
65 }
66 ];
67 extraConfig = ''
68 '';
69 };
70 controller = {
71 includes = [ "$CONFDIR/worker-controller.inc" ];
72 bindSockets = [
73 "127.0.0.1:11334"
74 ];
75 extraConfig = ''
76 #count = 1;
77 #static_dir = "''${WWWDIR}";
78 # USE: rspamadm pw
79 password = "${pass-chomp "servers/mermet/rspamd/controller/hashedPassword"}";
80 '';
81 };
82 };
83 };
84 /*
85 services.postfix.extraConfig = ''
86 smtpd_milters = unix:/run/rspamd.sock
87 milter_default_action = accept
88 '';
89 # Allow users to run 'rspamc' and 'rspamadm'.
90 environment.systemPackages = [ pkgs.rspamd ];
91 */
92
93 /*
94 services.redis = {
95 enable = true;
96 };
97 */
98 };
99 }