Simon Bruder
f945341668
This applies the REUSE specification to the repository, so the licensing information can be tracked for every file individually.
85 lines
2.6 KiB
Nix
85 lines
2.6 KiB
Nix
# SPDX-FileCopyrightText: 2023 Simon Bruder <simon@sbruder.de>
|
||
#
|
||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||
|
||
{ config, lib, ... }:
|
||
let
|
||
cfg = config.sbruder.mailserver;
|
||
in
|
||
{
|
||
options.sbruder.mailserver.spam = {
|
||
enable = (lib.mkEnableOption "spam filtering") // { default = true; };
|
||
};
|
||
|
||
config = lib.mkIf (cfg.enable && cfg.spam.enable) {
|
||
sops.secrets.rspamd-worker-controller = {
|
||
owner = config.users.users.rspamd.name;
|
||
sopsFile = ../../machines + "/${config.networking.hostName}/secrets.yaml";
|
||
};
|
||
|
||
services.rspamd = {
|
||
enable = true;
|
||
postfix.enable = true;
|
||
workers = {
|
||
normal = {
|
||
includes = [ "$CONFDIR/worker-normal.inc" ];
|
||
bindSockets = lib.singleton {
|
||
socket = "/run/rspamd/rspamd.sock";
|
||
mode = "0660";
|
||
owner = "${config.services.rspamd.user}";
|
||
group = "${config.services.rspamd.group}";
|
||
};
|
||
};
|
||
controller = {
|
||
includes = [ "$CONFDIR/worker-controller.inc" ];
|
||
bindSockets = [ "127.0.0.1:11334" ] ++ lib.optional config.sbruder.wireguard.home.enable "${config.sbruder.wireguard.home.address}:11334";
|
||
};
|
||
};
|
||
locals = {
|
||
"dkim_signing.conf".text = ''
|
||
enabled = false;
|
||
'';
|
||
"logging.inc".text = ''
|
||
# starts at info, drops to notice once started up
|
||
level = "silent";
|
||
'';
|
||
"milter_headers.conf".text = ''
|
||
extended_spam_headers = true;
|
||
'';
|
||
"multimap.conf".text = ''
|
||
SENDER_BLOCKED {
|
||
type = "from";
|
||
filter = "email:addr";
|
||
map = "/var/lib/rspamd/blocked_senders.map";
|
||
symbol = "SENDER_BLOCKED";
|
||
description = "Sender’s address is manually blocked";
|
||
prefilter = true;
|
||
action = "reject";
|
||
score = 30.0;
|
||
}
|
||
SENDER_DOMAIN_BLOCKED {
|
||
type = "from";
|
||
filter = "email:domain:tld";
|
||
map = "/var/lib/rspamd/blocked_sender_domains.map";
|
||
symbol = "SENDER_DOMAIN_BLOCKED";
|
||
description = "Sender’s effective second level domain is manually blocked";
|
||
score = 8.0;
|
||
}
|
||
'';
|
||
"redis.conf".text = ''
|
||
servers = "127.0.0.1:${toString config.services.redis.servers.rspamd.port}"
|
||
'';
|
||
"worker-controller.inc".source = config.sops.secrets.rspamd-worker-controller.path; # includes password
|
||
};
|
||
};
|
||
|
||
services.redis = {
|
||
vmOverCommit = true;
|
||
servers.rspamd = {
|
||
enable = true;
|
||
port = 6379;
|
||
};
|
||
};
|
||
};
|
||
}
|