]> Git — Sourcephile - sourcephile-nix.git/blob - machines/mermet/rspamd.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
mermet: update and fix security.gnupg
[sourcephile-nix.git] / machines / mermet / rspamd.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) attrNames listToAttrs readFile;
4 inherit (lib) types;
5 inherit (pkgs.lib) unlinesAttrs;
6 inherit (config.security) gnupg;
7 inherit (config.services) postfix rspamd dovecot2 redis;
8 inherit (config.users) users groups;
9 in
10 {
11 imports = [
12 rspamd/autogeree.net.nix
13 rspamd/sourcephile.fr.nix
14 ];
15 options = {
16 services.rspamd.dkimSelectorMap = lib.mkOption {
17 type = types.lines;
18 default = "";
19 description = ''Each line maps a domain to its active DKIM selector'';
20 apply = s: pkgs.writeText "dkim_selectors.map" s;
21 };
22 };
23 config = {
24 users.users."${rspamd.user}".extraGroups = [
25 users.redis.group
26 groups."keys".name
27 ];
28 services.rspamd = {
29 enable = true;
30 debug = false;
31 postfix.enable = postfix.enable;
32 locals = {
33 "dkim_signing.conf".text = ''
34 selector_map = ${rspamd.dkimSelectorMap};
35 path = "/run/keys/gnupg/rspamd/dkim/$domain/$selector.key";
36 allow_username_mismatch = true;
37 '';
38 "arc.conf".text = ''
39 selector_map = ${rspamd.dkimSelectorMap};
40 path = "/run/keys/gnupg/rspamd/dkim/$domain/$selector.key";
41 allow_username_mismatch = true;
42 '';
43 "redis.conf".text = ''
44 servers = "${redis.unixSocket}";
45 db = "1";
46 '';
47 "classifier-bayes.conf".text = ''
48 users_enabled = false;
49 backend = "redis";
50 servers = "${redis.unixSocket}";
51 database = "1";
52 autolearn = true;
53 cache {
54 backend = "redis";
55 }
56 new_schema = true;
57 statfile {
58 BAYES_HAM {
59 spam = false;
60 }
61 BAYES_SPAM {
62 spam = true;
63 }
64 }
65 '';
66 /*
67 "logging.conf" = ''
68 debug_modules = [“dkim_signing”]
69 '';
70 */
71 };
72 overrides = {
73 "milter_headers.conf".text = ''
74 extended_spam_headers = true;
75 '';
76 "actions.conf".text = ''
77 reject = 15; # Reject when reaching this score
78 add_header = 6; # Add header when reaching this score
79 greylist = 4; # Apply greylisting when reaching this score (will emit `soft reject action`)
80 '';
81 };
82 workers = {
83 learner = {
84 # Like controller but without a password, only the bindSockets' permissions
85 type = "controller";
86 includes = [ "$CONFDIR/worker-controller.inc" ];
87 bindSockets = [
88 { socket = "/run/rspamd/learner.sock";
89 mode = "0660";
90 owner = "${rspamd.user}";
91 group = "${dovecot2.group}";
92 }
93 ];
94 extraConfig = ''
95 '';
96 };
97 controller = {
98 includes = [
99 "$CONFDIR/worker-controller.inc"
100 gnupg.secrets."rspamd/controller/hashedPassword".path
101 ];
102 bindSockets = [
103 "127.0.0.1:11334"
104 ];
105 extraConfig = ''
106 #count = 1;
107 #static_dir = "''${WWWDIR}";
108 '';
109 };
110 };
111 };
112 security.gnupg.secrets."rspamd/controller/hashedPassword" = {
113 # Generated with: rspamadm pw
114 user = rspamd.user;
115 pipe = ''${pkgs.gnused}/bin/sed -e 's/.*/password = "\0";/' '';
116 systemdConfig.postStart = "systemctl try-restart --no-block rspamd"; # rspamd does not support reloading so far
117 };
118 systemd.services.rspamd = {
119 wants = [ gnupg.secrets."rspamd/controller/hashedPassword".service ];
120 after = [ gnupg.secrets."rspamd/controller/hashedPassword".service ];
121 };
122 /*
123 services.postfix.extraConfig = ''
124 smtpd_milters = unix:/run/rspamd.sock
125 milter_default_action = accept
126 '';
127 # Allow users to run 'rspamc' and 'rspamadm'.
128 environment.systemPackages = [ pkgs.rspamd ];
129 */
130 };
131 }
NixOS configurations for Sourcephile's infrastructure