1 { pkgs, lib, config, ... }:
3 inherit (builtins) attrNames listToAttrs readFile;
5 inherit (pkgs.lib) unlinesAttrs;
6 inherit (config.security) gnupg;
7 inherit (config.services) postfix rspamd dovecot2;
8 redis = config.services.redis.servers.rspamd;
9 inherit (config.users) users groups;
13 rspamd/autogeree.net.nix
14 rspamd/sourcephile.fr.nix
17 services.rspamd.dkimSelectorMap = lib.mkOption {
20 description = ''Each line maps a domain to its active DKIM selector'';
21 apply = s: pkgs.writeText "dkim_selectors.map" s;
25 users.groups.redis-rspamd.members = [ rspamd.user ];
26 users.groups.keys.members = [ rspamd.user ];
30 postfix.enable = postfix.enable;
32 "dkim_signing.conf".text = ''
33 selector_map = ${rspamd.dkimSelectorMap};
34 path = "/run/keys/gnupg/rspamd/dkim/$domain/$selector.key/file";
35 allow_username_mismatch = true;
38 selector_map = ${rspamd.dkimSelectorMap};
39 path = "/run/keys/gnupg/rspamd/dkim/$domain/$selector.key/file";
40 allow_username_mismatch = true;
42 "redis.conf".text = ''
43 servers = "${redis.unixSocket}";
46 "classifier-bayes.conf".text = ''
47 users_enabled = false;
49 servers = "${redis.unixSocket}";
67 debug_modules = [“dkim_signing”]
72 "milter_headers.conf".text = ''
73 extended_spam_headers = true;
75 "actions.conf".text = ''
76 reject = 15; # Reject when reaching this score
77 add_header = 6; # Add header when reaching this score
78 greylist = 4; # Apply greylisting when reaching this score (will emit `soft reject action`)
83 # Like controller but without a password, only the bindSockets' permissions
85 includes = [ "$CONFDIR/worker-controller.inc" ];
87 { socket = "/run/rspamd/learner.sock";
89 owner = "${rspamd.user}";
90 group = "${dovecot2.group}";
98 "$CONFDIR/worker-controller.inc"
99 gnupg.secrets."rspamd/controller/hashedPassword".path
106 #static_dir = "''${WWWDIR}";
111 security.gnupg.secrets."rspamd/controller/hashedPassword" = {
112 # Generated with: rspamadm pw
114 pipe = ''${pkgs.gnused}/bin/sed -e 's/.*/password = "\0";/' '';
115 systemdConfig.postStart = "systemctl try-restart --no-block rspamd"; # rspamd does not support reloading so far
117 systemd.services.rspamd = {
118 wants = [ gnupg.secrets."rspamd/controller/hashedPassword".service ];
119 after = [ gnupg.secrets."rspamd/controller/hashedPassword".service ];
122 fileSystems."/var/lib/redis-rspamd" = {
123 device = "rpool/var/redis-rspamd";
126 services.sanoid.datasets."rpool/var/redis-rspamd" = {
127 use_template = [ "snap" ];
134 services.redis.vmOverCommit = true;
135 services.redis.servers.rspamd = {
139 bind = "127.0.0.1 ::1";
140 save = [ [1800 100] [300 1000] ];
141 #unixSocketPerm = "660";
144 maxmemory-policy = "volatile-ttl";
148 services.postfix.extraConfig = ''
149 smtpd_milters = unix:/run/rspamd.sock
150 milter_default_action = accept
152 # Allow users to run 'rspamc' and 'rspamadm'.
153 environment.systemPackages = [ pkgs.rspamd ];