{pkgs, lib, config, ...}: let inherit (builtins) attrNames; inherit (builtins.extraBuiltins) pass; inherit (lib) types; inherit (pkgs.lib) unlinesAttrs; inherit (config) networking; inherit (config.services) rspamd-upstream dkim; /* localConfig = pkgs.writeText "local.conf" '' classifier "bayes" { autolearn = true; } dkim_signing { path = "/var/lib/rspamd/dkim/$domain.$selector.key"; selector = "default"; allow_username_mismatch = true; } arc { path = "/var/lib/rspamd/dkim/$domain.$selector.key"; selector = "default"; allow_username_mismatch = true; } milter_headers { use = ["authentication-results", "x-spam-status"]; authenticated_headers = ["authentication-results"]; } replies { action = "no action"; } url_reputation { enabled = true; } phishing { openphish_enabled = true; phishtank_enabled = true; } ''; */ in { options.services.dkim = lib.mkOption { default = {}; type = types.submodule { options = { domains = lib.mkOption { default = {}; type = types.attrsOf (types.submodule { options = { selector = lib.mkOption { type = types.str; description = ''Current selector.''; }; selectors = lib.mkOption { default = {}; description = ''Available selectors.''; type = types.attrsOf (types.submodule { options = { key = lib.mkOption { type = types.str; description = ''Private key.''; }; dns = lib.mkOption { type = types.str; description = ''DNS record.''; }; }; }); }; }; }); }; }; }; }; config = { deployment.keys = builtins.listToAttrs (map (domain: let selector = dkim.domains."${domain}".selector; in { name = "dkim.${domain}.${selector}.key"; value = { text = pass "${networking.domainBase}/dkim/${selector}/key" + "\n"; #destDir = "${redmine.stateDir}/.ssh"; #path = "${redmine.stateDir}/.ssh/id_ed25519"; user = rspamd-upstream.user; group = rspamd-upstream.group; permissions = "0400"; # XXX: not enforced when deployment.storeKeysOnMachine = true }; }) ([ networking.domain ] ++ networking.domainAliases)); systemd.services.rspamd-upstream = { path = [ pkgs.coreutils ]; after = [ "keys.target" ]; preStart = unlinesAttrs (domain: dom: '' install -D -o ${rspamd-upstream.user} -g ${rspamd-upstream.group} -m 0400 \ /run/keys/dkim.${domain}.${dom.selector}.key \ /var/lib/rspamd/dkim/${domain}.${dom.selector}.key '') dkim.domains; }; services.rspamd-upstream = { enable = true; debug = false; postfix = { enable = true; }; locals = let selector_map_file = pkgs.writeText "dkim_selectors.map" (pkgs.lib.unlinesAttrs (domain: dom: "${domain} ${dom.selector}") dkim.domains); in { "dkim_signing.conf".text = '' path = "/var/lib/rspamd/dkim/$domain.$selector.key"; selector_map = ${selector_map_file}; allow_username_mismatch = true; ''; "arc.conf".text = '' path = "/var/lib/rspamd/dkim/$domain.$selector.key"; selector_map = ${selector_map_file}; allow_username_mismatch = true; ''; /* "logging.conf" = '' debug_modules = [“dkim_signing”] ''; */ }; overrides = { "milter_headers.conf".text = '' extended_spam_headers = true; ''; "actions.conf".text = '' actions { reject = 15; # Reject when reaching this score add_header = 6; # Add header when reaching this score greylist = 4; # Apply greylisting when reaching this score (will emit `soft reject action`) } ''; }; workers = { normal = { /* includes = [ "$CONFDIR/worker-normal.inc" ]; bindSockets = [{ socket = "/run/rspamd/rspamd.sock"; mode = "0660"; owner = "${cfg.user}"; group = "${cfg.group}"; }]; */ }; controller = { #includes = [ "$CONFDIR/worker-controller.inc" ]; bindSockets = [ "*:11334" ]; # FIXME: localhost only extraConfig = '' #count = 1; #static_dir = "''${WWWDIR}"; # USE: rspamadm pw password = "$2$fy8padyutwigfchjbye88h7i4exwx9gw$m3ohkqu9fartjkjz5oeok5xwxamwime63998awryxdt8dt431eoy"; ''; }; }; }; /* services.rspamd-upstream = { enable = true; # FIXME: the order of sockets is messed up socketActivation = false; extraConfig = '' .include(priority=1,duplicate=merge) "${localConfig}" ''; workers.controller = { extraConfig = '' count = 1; static_dir = "''${WWWDIR}"; password = "$2$cifyu958qabanmtjyofmf5981posxie7$dz3taiiumir9ew5ordg8n1ia3eb73y1t55kzc9qsjdq1n8esmqqb"; enable_password = "$2$cifyu958qabanmtjyofmf5981posxie7$dz3taiiumir9ew5ordg8n1ia3eb73y1t55kzc9qsjdq1n8esmqqb"; ''; }; workers.rspamd_proxy = { type = "proxy"; extraConfig = '' milter = yes; # Enable milter mode timeout = 120s; # Needed for Milter usually upstream "local" { default = yes; self_scan = yes; } count = 1; # Do not spawn too many processes of this type ''; bindSockets = [{ socket = "/run/rspamd.sock"; mode = "0666"; owner = "rspamd"; group = "rspamd"; }]; }; }; */ /* services.postfix.extraConfig = '' smtpd_milters = unix:/run/rspamd.sock milter_default_action = accept ''; # Allow users to run 'rspamc' and 'rspamadm'. environment.systemPackages = [ pkgs.rspamd ]; */ /* services.redis = { enable = true; }; */ }; }