]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/rspamd.nix
openldap: see if something can be upstreamed
[sourcephile-nix.git] / servers / mermet / rspamd.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) attrNames listToAttrs readFile;
4 inherit (builtins.extraBuiltins) pass pass-chomp;
5 inherit (lib) types;
6 inherit (pkgs.lib) unlinesAttrs;
7 inherit (config.services) postfix rspamd dovecot2;
8 in
9 {
10 imports = [
11 rspamd/sourcephile.fr.nix
12 ];
13 options = {
14 services.rspamd.dkimSelectorMap = lib.mkOption {
15 type = types.lines;
16 default = "";
17 description = ''Each line maps a domain to its active DKIM selector'';
18 apply = s: pkgs.writeText "dkim_selectors.map" s;
19 };
20 };
21 config = {
22 users.users."${rspamd.user}".extraGroups = [ "keys" ];
23 services.rspamd = {
24 enable = true;
25 debug = false;
26 postfix.enable = postfix.enable;
27 locals = {
28 "dkim_signing.conf".text = ''
29 selector_map = ${rspamd.dkimSelectorMap};
30 path = "/run/keys/dkim.$domain.$selector.key";
31 allow_username_mismatch = true;
32 '';
33 "arc.conf".text = ''
34 selector_map = ${rspamd.dkimSelectorMap};
35 path = "/run/keys/dkim.$domain.$selector.key";
36 allow_username_mismatch = true;
37 '';
38 /*
39 "logging.conf" = ''
40 debug_modules = [“dkim_signing”]
41 '';
42 */
43 };
44 overrides = {
45 "milter_headers.conf".text = ''
46 extended_spam_headers = true;
47 '';
48 "actions.conf".text = ''
49 reject = 15; # Reject when reaching this score
50 add_header = 6; # Add header when reaching this score
51 greylist = 4; # Apply greylisting when reaching this score (will emit `soft reject action`)
52 '';
53 };
54 workers = {
55 learner = {
56 # Like controller but without a password, only the bindSockets' permissions
57 type = "controller";
58 includes = [ "$CONFDIR/worker-controller.inc" ];
59 bindSockets = [
60 { socket = "/run/rspamd/learner.sock";
61 mode = "0660";
62 owner = "${rspamd.user}";
63 group = "${dovecot2.group}";
64 }
65 ];
66 extraConfig = ''
67 '';
68 };
69 controller = {
70 includes = [ "$CONFDIR/worker-controller.inc" ];
71 bindSockets = [
72 "127.0.0.1:11334"
73 ];
74 extraConfig = ''
75 #count = 1;
76 #static_dir = "''${WWWDIR}";
77 # USE: rspamadm pw
78 password = "${pass-chomp "servers/mermet/rspamd/controller/hashedPassword"}";
79 '';
80 };
81 };
82 };
83 /*
84 services.postfix.extraConfig = ''
85 smtpd_milters = unix:/run/rspamd.sock
86 milter_default_action = accept
87 '';
88 # Allow users to run 'rspamc' and 'rspamadm'.
89 environment.systemPackages = [ pkgs.rspamd ];
90 */
91
92 /*
93 services.redis = {
94 enable = true;
95 };
96 */
97 };
98 }