{ pkgs, lib, config, ... }: let inherit (builtins) attrNames listToAttrs; inherit (builtins.extraBuiltins) pass pass-chomp; inherit (lib) types; inherit (pkgs.lib) unlinesAttrs; inherit (config) networking; inherit (config.services) postfix rspamd dovecot2; in { systemd.services.rspamd.after = lib.mapAttrsToList (domain: dom: "dkim.${domain}.${dom.selector}.key-key.service") rspamd.dkim.domains; deployment.keys = lib.mapAttrs' (domain: dom: lib.nameValuePair "dkim.${domain}.${dom.selector}.key" { text = pass dom.selectors."${dom.selector}".key; user = rspamd.user; group = rspamd.group; destDir = "/run/keys/"; permissions = "0400"; # WARNING: not enforced when deployment.storeKeysOnMachine = true }) rspamd.dkim.domains; services.rspamd = { enable = true; debug = false; postfix = { enable = postfix.enable; }; dkim = { enable = true; domains = { "${networking.domainBase}.fr" = { selector = "20200101"; selectors = { "20200101" = { key = "dkim/${networking.domainBase}.20200101.key"; dns = '' 20200101._domainkey IN TXT ( "v=DKIM1; k=rsa; " "p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA7EKzverbG+5JF+yFjH3MrxLyauiHyLqBbV/8LEMunoKXF8sqhBpQtAQXruLqsyUkxR/4CAyPMyzmcdrU43boMj9yFqLrg/kEz2RIvai9jXBqRoWRW1y7F0LbZmdtOTncuDSP8Zzo02XUzsOC4f/C3tEQHS5rc" "hzfhU5FY1CeO6eBMV79qKBOvGMKahQTrrtU6olAAJxOhn6wRuwSf" "+m3on1OqiuXYYIgNHKdRhJ8gDwIm/3LEpYMD0gTgJiyclCLoLGHGtKZy1Wf9xV9/7V6fHE4JW5SDivwslVTL+KPXOlIpo5NDHpMxPYOcIg2K4Rj/j7jhavo+fG43q1LhwaPkEMQMbplgnjeMY8300odRiklTkMMpH0m35ZNeHQJSRpEtV8y5xUNxVaGzfqX5iStwV/mQ1Kn" "ZSe8ORTNq+eTTFnDk6zdUXjagcf0wO6QsSTeAz/G8CqOBbwmrU+q" "F8WbGAeRnhz51mH6fTTfsQ1nwjAiF4ou+eQGTkTMN23KkCKpuozJnxqx4DCEr6J1bL83fhXw7CgcfgKgTOk/HFJpeiGhqodw18r4DWBA6G57z9utm7Mr/9SoVnMq6iK9iEcbCllLR8Sz4viatLSRzhodbk7hfvXS3jmCFjILAjFmA7aMTemDMBDQhpAGF9F8sjFUbEJIZjK" "rWWtSTdO8DilDqN8CAwEAAQ==" ); ''; }; }; }; }; }; locals = let selector_map_file = pkgs.writeText "dkim_selectors.map" (unlinesAttrs (domain: dom: "${domain} ${dom.selector}") rspamd.dkim.domains); in { "dkim_signing.conf".text = '' selector_map = ${selector_map_file}; path = "/run/keys/dkim.$domain.$selector.key"; allow_username_mismatch = true; ''; "arc.conf".text = '' selector_map = ${selector_map_file}; path = "/run/keys/dkim.$domain.$selector.key"; allow_username_mismatch = true; ''; /* "logging.conf" = '' debug_modules = [“dkim_signing”] ''; */ }; overrides = { "milter_headers.conf".text = '' extended_spam_headers = true; ''; "actions.conf".text = '' reject = 15; # Reject when reaching this score add_header = 6; # Add header when reaching this score greylist = 4; # Apply greylisting when reaching this score (will emit `soft reject action`) ''; }; workers = { learner = { # Like controller but without a password, only the bindSockets' permissions type = "controller"; includes = [ "$CONFDIR/worker-controller.inc" ]; bindSockets = [ { socket = "/run/rspamd/learner.sock"; mode = "0660"; owner = "${rspamd.user}"; group = "${dovecot2.group}"; } ]; extraConfig = '' ''; }; controller = { includes = [ "$CONFDIR/worker-controller.inc" ]; bindSockets = [ "127.0.0.1:11334" ]; extraConfig = '' #count = 1; #static_dir = "''${WWWDIR}"; # USE: rspamadm pw password = "${pass-chomp "servers/mermet/rspamd/controller/hashedPassword"}"; ''; }; }; }; /* services.postfix.extraConfig = '' smtpd_milters = unix:/run/rspamd.sock milter_default_action = accept ''; # Allow users to run 'rspamc' and 'rspamadm'. environment.systemPackages = [ pkgs.rspamd ]; */ /* services.redis = { enable = true; }; */ }