{ pkgs, lib, config, ... }:
-let inherit (builtins) attrNames listToAttrs;
- inherit (builtins.extraBuiltins) pass pass-chomp;
- inherit (lib) types;
- inherit (pkgs.lib) unlinesAttrs;
- inherit (config) networking;
- inherit (config.services) postfix rspamd dovecot2;
+let
+ inherit (builtins) attrNames listToAttrs readFile;
+ inherit (builtins.extraBuiltins) pass pass-chomp;
+ inherit (lib) types;
+ inherit (pkgs.lib) unlinesAttrs;
+ inherit (config.services) postfix rspamd dovecot2 redis;
+ inherit (config.users) users;
in
{
- systemd.services.rspamd.after =
- lib.mapAttrsToList
- (domain: dom: "dkim.${domain}.${dom.selector}.key-key.service")
- rspamd.dkim.domains;
- deployment.keys = lib.mapAttrs'
- (domain: dom:
- lib.nameValuePair "dkim.${domain}.${dom.selector}.key" {
- text = pass dom.selectors."${dom.selector}".key;
- user = rspamd.user;
- group = "root";
- destDir = "/run/keys/";
- permissions = "0400"; # WARNING: not enforced when deployment.storeKeysOnMachine = true
- })
- rspamd.dkim.domains;
- users.users."${rspamd.user}".extraGroups = [ "keys" ];
- services.rspamd = {
- enable = true;
- debug = false;
- postfix = {
- enable = postfix.enable;
- };
- dkim = {
- enable = true;
- domains = {
- "${networking.domainBase}.fr" = {
- selector = "20200101";
- selectors = {
- "20200101" = {
- key = "dkim/${networking.domainBase}.20200101.key";
- dns = ''
- 20200101._domainkey IN TXT ( "v=DKIM1; k=rsa; "
- "p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA7EKzverbG+5JF+yFjH3MrxLyauiHyLqBbV/8LEMunoKXF8sqhBpQtAQXruLqsyUkxR/4CAyPMyzmcdrU43boMj9yFqLrg/kEz2RIvai9jXBqRoWRW1y7F0LbZmdtOTncuDSP8Zzo02XUzsOC4f/C3tEQHS5rc"
- "hzfhU5FY1CeO6eBMV79qKBOvGMKahQTrrtU6olAAJxOhn6wRuwSf"
- "+m3on1OqiuXYYIgNHKdRhJ8gDwIm/3LEpYMD0gTgJiyclCLoLGHGtKZy1Wf9xV9/7V6fHE4JW5SDivwslVTL+KPXOlIpo5NDHpMxPYOcIg2K4Rj/j7jhavo+fG43q1LhwaPkEMQMbplgnjeMY8300odRiklTkMMpH0m35ZNeHQJSRpEtV8y5xUNxVaGzfqX5iStwV/mQ1Kn"
- "ZSe8ORTNq+eTTFnDk6zdUXjagcf0wO6QsSTeAz/G8CqOBbwmrU+q"
- "F8WbGAeRnhz51mH6fTTfsQ1nwjAiF4ou+eQGTkTMN23KkCKpuozJnxqx4DCEr6J1bL83fhXw7CgcfgKgTOk/HFJpeiGhqodw18r4DWBA6G57z9utm7Mr/9SoVnMq6iK9iEcbCllLR8Sz4viatLSRzhodbk7hfvXS3jmCFjILAjFmA7aMTemDMBDQhpAGF9F8sjFUbEJIZjK"
- "rWWtSTdO8DilDqN8CAwEAAQ=="
- );
- '';
- };
- };
- };
- };
- };
- locals =
- let selector_map_file =
- pkgs.writeText "dkim_selectors.map"
- (unlinesAttrs
- (domain: dom: "${domain} ${dom.selector}")
- rspamd.dkim.domains);
- in {
- "dkim_signing.conf".text = ''
- selector_map = ${selector_map_file};
- path = "/run/keys/dkim.$domain.$selector.key";
- allow_username_mismatch = true;
- '';
- "arc.conf".text = ''
- selector_map = ${selector_map_file};
- path = "/run/keys/dkim.$domain.$selector.key";
- allow_username_mismatch = true;
- '';
- /*
- "logging.conf" = ''
- debug_modules = [“dkim_signing”]
+imports = map (domain: import (./rspamd + "/${domain}.nix") {inherit domain;}) [
+ "sourcephile.fr"
+ "autogeree.net"
+];
+options = {
+ services.rspamd.dkimSelectorMap = lib.mkOption {
+ type = types.lines;
+ default = "";
+ description = ''Each line maps a domain to its active DKIM selector'';
+ apply = s: pkgs.writeText "dkim_selectors.map" s;
+ };
+};
+config = {
+users.users."${rspamd.user}".extraGroups = [
+ "keys"
+ users.redis.group
+];
+services.rspamd = {
+ enable = true;
+ debug = false;
+ postfix.enable = postfix.enable;
+ locals = {
+ "dkim_signing.conf".text = ''
+ selector_map = ${rspamd.dkimSelectorMap};
+ path = "/run/keys/dkim.$domain.$selector.key";
+ allow_username_mismatch = true;
+ '';
+ "arc.conf".text = ''
+ selector_map = ${rspamd.dkimSelectorMap};
+ path = "/run/keys/dkim.$domain.$selector.key";
+ allow_username_mismatch = true;
+ '';
+ "redis.conf".text = ''
+ servers = "${redis.unixSocket}";
+ db = "1";
+ '';
+ "classifier-bayes.conf".text = ''
+ users_enabled = false;
+ backend = "redis";
+ servers = "${redis.unixSocket}";
+ database = "1";
+ autolearn = true;
+ cache {
+ backend = "redis";
+ }
+ new_schema = true;
+ statfile {
+ BAYES_HAM {
+ spam = false;
+ }
+ BAYES_SPAM {
+ spam = true;
+ }
+ }
+ '';
+ /*
+ "logging.conf" = ''
+ debug_modules = [“dkim_signing”]
+ '';
+ */
+ };
+ overrides = {
+ "milter_headers.conf".text = ''
+ extended_spam_headers = true;
+ '';
+ "actions.conf".text = ''
+ reject = 15; # Reject when reaching this score
+ add_header = 6; # Add header when reaching this score
+ greylist = 4; # Apply greylisting when reaching this score (will emit `soft reject action`)
+ '';
+ };
+ workers = {
+ learner = {
+ # Like controller but without a password, only the bindSockets' permissions
+ type = "controller";
+ includes = [ "$CONFDIR/worker-controller.inc" ];
+ bindSockets = [
+ { socket = "/run/rspamd/learner.sock";
+ mode = "0660";
+ owner = "${rspamd.user}";
+ group = "${dovecot2.group}";
+ }
+ ];
+ extraConfig = ''
'';
- */
};
- overrides = {
- "milter_headers.conf".text = ''
- extended_spam_headers = true;
- '';
- "actions.conf".text = ''
- reject = 15; # Reject when reaching this score
- add_header = 6; # Add header when reaching this score
- greylist = 4; # Apply greylisting when reaching this score (will emit `soft reject action`)
+ controller = {
+ includes = [ "$CONFDIR/worker-controller.inc" ];
+ bindSockets = [
+ "127.0.0.1:11334"
+ ];
+ extraConfig = ''
+ #count = 1;
+ #static_dir = "''${WWWDIR}";
+ # USE: rspamadm pw
+ password = "${pass-chomp "servers/mermet/rspamd/controller/hashedPassword"}";
'';
};
- workers = {
- learner = {
- # Like controller but without a password, only the bindSockets' permissions
- type = "controller";
- includes = [ "$CONFDIR/worker-controller.inc" ];
- bindSockets = [
- { socket = "/run/rspamd/learner.sock";
- mode = "0660";
- owner = "${rspamd.user}";
- group = "${dovecot2.group}";
- }
- ];
- extraConfig = ''
- '';
- };
- controller = {
- includes = [ "$CONFDIR/worker-controller.inc" ];
- bindSockets = [
- "127.0.0.1:11334"
- ];
- extraConfig = ''
- #count = 1;
- #static_dir = "''${WWWDIR}";
- # USE: rspamadm pw
- password = "${pass-chomp "servers/mermet/rspamd/controller/hashedPassword"}";
- '';
- };
- };
- };
- /*
- services.postfix.extraConfig = ''
- smtpd_milters = unix:/run/rspamd.sock
- milter_default_action = accept
- '';
- # Allow users to run 'rspamc' and 'rspamadm'.
- environment.systemPackages = [ pkgs.rspamd ];
- */
-
- /*
- services.redis = {
- enable = true;
};
- */
+};
+/*
+services.postfix.extraConfig = ''
+ smtpd_milters = unix:/run/rspamd.sock
+ milter_default_action = accept
+'';
+# Allow users to run 'rspamc' and 'rspamadm'.
+environment.systemPackages = [ pkgs.rspamd ];
+*/
+};
}
sourcephile / git / sourcephile-nix.git / blobdiff