transmission: fix nebula domain
[sourcephile-nix.git] / hosts / mermet / rspamd.nix
index 92f94fff4a8195f84d412df90fcaa04b079477d9..1980eb4be973bf960c26c4b6524f11ae7da58c26 100644 (file)
-{ pkgs, lib, config, ... }:
+{ pkgs, lib, config, inputs, hostName, ... }:
 let
-  inherit (builtins) attrNames listToAttrs readFile;
   inherit (lib) types;
-  inherit (pkgs.lib) unlinesAttrs;
-  inherit (config.security) gnupg;
-  inherit (config.services) postfix rspamd dovecot2 redis;
+  inherit (config.services) postfix rspamd dovecot2;
+  redis = config.services.redis.servers.rspamd;
   inherit (config.users) users groups;
 in
 {
-imports = [
-  rspamd/autogeree.net.nix
-  rspamd/sourcephile.fr.nix
-];
-options = {
-  services.rspamd.dkimSelectorMap = lib.mkOption {
-    type = types.lines;
-    default = "";
-    description = ''Each line maps a domain to its active DKIM selector'';
-    apply = s: pkgs.writeText "dkim_selectors.map" s;
+  imports = [
+    rspamd/autogeree.net.nix
+    rspamd/sourcephile.fr.nix
+  ];
+  options = {
+    services.rspamd.dkimSelectorMap = lib.mkOption {
+      type = types.lines;
+      default = "";
+      description = ''Each line maps a domain to its active DKIM selector'';
+      apply = s: pkgs.writeText "dkim_selectors.map" s;
+    };
   };
-};
-config = {
-users.users."${rspamd.user}".extraGroups = [
-  users.redis.group
-  groups."keys".name
-];
-services.rspamd = {
-  enable = true;
-  debug = false;
-  postfix.enable = postfix.enable;
-  locals = {
-    "dkim_signing.conf".text = ''
-      selector_map = ${rspamd.dkimSelectorMap};
-      path = "/run/keys/gnupg/rspamd/dkim/$domain/$selector.key";
-      allow_username_mismatch = true;
-    '';
-    "arc.conf".text = ''
-      selector_map = ${rspamd.dkimSelectorMap};
-      path = "/run/keys/gnupg/rspamd/dkim/$domain/$selector.key";
-      allow_username_mismatch = true;
-    '';
-    "redis.conf".text = ''
-      servers = "${redis.unixSocket}";
-      db = "1";
-    '';
-    "classifier-bayes.conf".text = ''
-      users_enabled = false;
-      backend = "redis";
-      servers = "${redis.unixSocket}";
-      database = "1";
-      autolearn = true;
-      cache {
-        backend = "redis";
-      }
-      new_schema = true;
-      statfile {
-        BAYES_HAM {
-          spam = false;
-        }
-        BAYES_SPAM {
-          spam = true;
-        }
-      }
-    '';
-    /*
-    "logging.conf" = ''
+  config = {
+    users.groups.redis-rspamd.members = [ rspamd.user ];
+    services.rspamd = {
+      enable = true;
+      debug = false;
+      postfix.enable = postfix.enable;
+      locals = {
+        "dkim_signing.conf".text = ''
+          selector_map = ${rspamd.dkimSelectorMap};
+          path = "/run/credentials/rspamd.service/$domain.$selector.key";
+          allow_username_mismatch = true;
+        '';
+        "arc.conf".text = ''
+          selector_map = ${rspamd.dkimSelectorMap};
+          path = "/run/credentials/rspamd.service/$domain.$selector.key";
+          allow_username_mismatch = true;
+        '';
+        "redis.conf".text = ''
+          servers = "${redis.unixSocket}";
+          db = "1";
+        '';
+        "classifier-bayes.conf".text = ''
+          users_enabled = false;
+          backend = "redis";
+          servers = "${redis.unixSocket}";
+          database = "1";
+          autolearn = true;
+          cache {
+            backend = "redis";
+          }
+          new_schema = true;
+          expire = 86400;
+          statfile {
+            BAYES_HAM {
+              spam = false;
+            }
+            BAYES_SPAM {
+              spam = true;
+            }
+          }
+        '';
+        /*
+          "logging.conf" = ''
       debug_modules = [“dkim_signing”]
-    '';
-    */
-  };
-  overrides = {
-    "milter_headers.conf".text = ''
-      extended_spam_headers = true;
-    '';
-    "actions.conf".text = ''
-      reject     = 15; # Reject when reaching this score
-      add_header =  6; # Add header when reaching this score
-      greylist   =  4; # Apply greylisting when reaching this score (will emit `soft reject action`)
-    '';
-  };
-  workers = {
-    learner = {
-      # Like controller but without a password, only the bindSockets' permissions
-      type = "controller";
-      includes = [ "$CONFDIR/worker-controller.inc" ];
-      bindSockets = [
-        { socket = "/run/rspamd/learner.sock";
-          mode = "0660";
-          owner = "${rspamd.user}";
-          group = "${dovecot2.group}";
-        }
-      ];
-      extraConfig = ''
+          '';
+        */
+      };
+      overrides = {
+        "milter_headers.conf".text = ''
+          extended_spam_headers = true;
+        '';
+        "actions.conf".text = ''
+          reject     = 15; # Reject when reaching this score
+          add_header =  6; # Add header when reaching this score
+          greylist   =  4; # Apply greylisting when reaching this score (will emit `soft reject action`)
+        '';
+      };
+      workers = {
+        learner = {
+          # Like controller but without a password, only the bindSockets' permissions
+          type = "controller";
+          includes = [ "$CONFDIR/worker-controller.inc" ];
+          bindSockets = [
+            {
+              socket = "/run/rspamd/learner.sock";
+              mode = "0660";
+              owner = "${rspamd.user}";
+              group = "${dovecot2.group}";
+            }
+          ];
+          extraConfig = ''
       '';
+        };
+        controller = {
+          includes = [
+            "$CONFDIR/worker-controller.inc"
+            "/run/credentials/rspamd.service/controller.inc"
+          ];
+          bindSockets = [
+            "127.0.0.1:11334"
+          ];
+          extraConfig = ''
+            #count = 1;
+            #static_dir = "''${WWWDIR}";
+          '';
+        };
+      };
     };
-    controller = {
-      includes = [
-        "$CONFDIR/worker-controller.inc"
-        gnupg.secrets."rspamd/controller/hashedPassword".path
-      ];
-      bindSockets = [
-        "127.0.0.1:11334"
-      ];
-      extraConfig = ''
-        #count = 1;
-        #static_dir = "''${WWWDIR}";
-      '';
+    systemd.services.rspamd = {
+      serviceConfig = {
+        LoadCredentialEncrypted = [
+          "controller.inc:${rspamd/controller.inc.cred}"
+        ];
+      };
     };
+
+    fileSystems."/var/lib/redis-rspamd" = {
+      device = "rpool/var/redis-rspamd";
+      fsType = "zfs";
+    };
+    services.sanoid.datasets."rpool/var/redis-rspamd" = {
+      use_template = [ "snap" ];
+      daily = 7;
+      monthly = 0;
+    };
+
+    services.redis.vmOverCommit = true;
+    services.redis.servers.rspamd = {
+      enable = true;
+      databases = 16;
+      syslog = true;
+      save = [ [ 1800 100 ] [ 300 1000 ] ];
+      #unixSocketPerm = "660";
+      settings = {
+        maxmemory = "64MB";
+        maxmemory-policy = "volatile-ttl";
+      };
+    };
+    /*
+      services.postfix.extraConfig = ''
+      smtpd_milters = unix:/run/rspamd.sock
+      milter_default_action = accept
+      '';
+      # Allow users to run 'rspamc' and 'rspamadm'.
+      environment.systemPackages = [ pkgs.rspamd ];
+    */
   };
-};
-security.gnupg.secrets."rspamd/controller/hashedPassword" = {
-  # Generated with: rspamadm pw
-  user = rspamd.user;
-  pipe = ''${pkgs.gnused}/bin/sed -e 's/.*/password = "\0";/' '';
-  systemdConfig.postStart = "systemctl try-restart --no-block rspamd"; # rspamd does not support reloading so far
-};
-systemd.services.rspamd = {
-  wants = [ gnupg.secrets."rspamd/controller/hashedPassword".service ];
-  after = [ gnupg.secrets."rspamd/controller/hashedPassword".service ];
-};
-/*
-services.postfix.extraConfig = ''
-  smtpd_milters = unix:/run/rspamd.sock
-  milter_default_action = accept
-'';
-# Allow users to run 'rspamc' and 'rspamadm'.
-environment.systemPackages = [ pkgs.rspamd ];
-*/
-};
 }