nixos-config/modules/mailserver/rspamd.nix
Simon Bruder f945341668
Relicense
This applies the REUSE specification to the repository, so the licensing
information can be tracked for every file individually.
2024-01-13 14:35:31 +01:00

85 lines
2.6 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ config, lib, ... }:
let
cfg = config.sbruder.mailserver;
in
{
options.sbruder.mailserver.spam = {
enable = (lib.mkEnableOption "spam filtering") // { default = true; };
};
config = lib.mkIf (cfg.enable && cfg.spam.enable) {
sops.secrets.rspamd-worker-controller = {
owner = config.users.users.rspamd.name;
sopsFile = ../../machines + "/${config.networking.hostName}/secrets.yaml";
};
services.rspamd = {
enable = true;
postfix.enable = true;
workers = {
normal = {
includes = [ "$CONFDIR/worker-normal.inc" ];
bindSockets = lib.singleton {
socket = "/run/rspamd/rspamd.sock";
mode = "0660";
owner = "${config.services.rspamd.user}";
group = "${config.services.rspamd.group}";
};
};
controller = {
includes = [ "$CONFDIR/worker-controller.inc" ];
bindSockets = [ "127.0.0.1:11334" ] ++ lib.optional config.sbruder.wireguard.home.enable "${config.sbruder.wireguard.home.address}:11334";
};
};
locals = {
"dkim_signing.conf".text = ''
enabled = false;
'';
"logging.inc".text = ''
# starts at info, drops to notice once started up
level = "silent";
'';
"milter_headers.conf".text = ''
extended_spam_headers = true;
'';
"multimap.conf".text = ''
SENDER_BLOCKED {
type = "from";
filter = "email:addr";
map = "/var/lib/rspamd/blocked_senders.map";
symbol = "SENDER_BLOCKED";
description = "Senders address is manually blocked";
prefilter = true;
action = "reject";
score = 30.0;
}
SENDER_DOMAIN_BLOCKED {
type = "from";
filter = "email:domain:tld";
map = "/var/lib/rspamd/blocked_sender_domains.map";
symbol = "SENDER_DOMAIN_BLOCKED";
description = "Senders effective second level domain is manually blocked";
score = 8.0;
}
'';
"redis.conf".text = ''
servers = "127.0.0.1:${toString config.services.redis.servers.rspamd.port}"
'';
"worker-controller.inc".source = config.sops.secrets.rspamd-worker-controller.path; # includes password
};
};
services.redis = {
vmOverCommit = true;
servers.rspamd = {
enable = true;
port = 6379;
};
};
};
}