{ config, lib, ... }: let cfg = config.sbruder.mailserver; in { options.sbruder.mailserver.spam = { enable = (lib.mkEnableOption "spam filtering") // { default = true; }; }; config = lib.mkIf (cfg.enable && cfg.spam.enable) { sops.secrets.rspamd-worker-controller = { owner = config.users.users.rspamd.name; sopsFile = ../../machines + "/${config.networking.hostName}/secrets.yaml"; }; services.rspamd = { enable = true; postfix.enable = true; workers = { normal = { includes = [ "$CONFDIR/worker-normal.inc" ]; bindSockets = lib.singleton { socket = "/run/rspamd/rspamd.sock"; mode = "0660"; owner = "${config.services.rspamd.user}"; group = "${config.services.rspamd.group}"; }; }; controller = { includes = [ "$CONFDIR/worker-controller.inc" ]; bindSockets = [ "127.0.0.1:11334" ] ++ lib.optional config.sbruder.wireguard.home.enable "${config.sbruder.wireguard.home.address}:11334"; }; }; locals = { "dkim_signing.conf".text = '' enabled = false; ''; "logging.inc".text = '' # starts at info, drops to notice once started up level = "silent"; ''; "milter_headers.conf".text = '' extended_spam_headers = true; ''; "multimap.conf".text = '' SENDER_BLOCKED { type = "from"; filter = "email:addr"; map = "/var/lib/rspamd/blocked_senders.map"; symbol = "SENDER_BLOCKED"; description = "Sender’s address is manually blocked"; prefilter = true; action = "reject"; score = 30.0; } SENDER_DOMAIN_BLOCKED { type = "from"; filter = "email:domain:tld"; map = "/var/lib/rspamd/blocked_sender_domains.map"; symbol = "SENDER_DOMAIN_BLOCKED"; description = "Sender’s effective second level domain is manually blocked"; score = 8.0; } ''; "redis.conf".text = '' servers = "127.0.0.1:${toString config.services.redis.servers.rspamd.port}" ''; "worker-controller.inc".source = config.sops.secrets.rspamd-worker-controller.path; # includes password }; }; services.redis = { vmOverCommit = true; servers.rspamd = { enable = true; port = 6379; }; }; }; }