diff --git a/modules/mailserver.nix b/modules/mailserver.nix index ad59cd8..395d9ed 100644 --- a/modules/mailserver.nix +++ b/modules/mailserver.nix @@ -84,6 +84,9 @@ in "spammer@example.com" ]; }; + spam = { + enable = (lib.mkEnableOption "spam filtering") // { default = true; }; + }; }; config = lib.mkIf cfg.enable { @@ -357,5 +360,55 @@ in networking.resolvconf.extraConfig = '' name_servers='127.0.0.53' ''; + + # rspamd + sops.secrets.rspamd-worker-controller = lib.mkIf cfg.spam.enable { + owner = config.users.users.rspamd.name; + sopsFile = ../machines + "/${config.networking.hostName}/secrets.yaml"; + }; + + services.rspamd = { + enable = cfg.spam.enable; + postfix.enable = true; + workers = { + normal = { + includes = [ "$CONFDIR/worker-normal.inc" ]; + bindSockets = lib.singleton { + socket = "/run/rspamd/rspamd.sock"; + mode = "0660"; + owner = "${config.services.rspamd.user}"; + group = "${config.services.rspamd.group}"; + }; + }; + controller = { + includes = [ "$CONFDIR/worker-controller.inc" ]; + bindSockets = [ "127.0.0.1:11334" ] ++ lib.optional config.sbruder.wireguard.home.enable "${config.sbruder.wireguard.home.address}:11334"; + }; + }; + locals = { + "dkim_signing.conf".text = '' + enabled = false; + ''; + "logging.inc".text = '' + # starts at info, drops to notice once started up + level = "silent"; + ''; + "milter_headers.conf".text = '' + extended_spam_headers = true; + ''; + "redis.conf".text = '' + servers = "127.0.0.1:${toString config.services.redis.servers.rspamd.port}" + ''; + "worker-controller.inc".source = config.sops.secrets.rspamd-worker-controller.path; # includes password + }; + }; + + services.redis = lib.mkIf cfg.spam.enable { + vmOverCommit = true; + servers.rspamd = { + enable = true; + port = 6379; + }; + }; }; }