[perso/Immae/Config/Nix.git] / systems / eldiron / mail / rspamd.nix

{ lib, pkgs, config, ... }:
{
  options.myServices.mail.rspamd.sockets = lib.mkOption {
    type = lib.types.attrsOf lib.types.path;
    default = {
      worker-controller = "/run/rspamd/worker-controller.sock";
    };
    readOnly = true;
    description = ''
      rspamd sockets
      '';
  };
  config = lib.mkIf config.myServices.mail.enable {
    services.cron.systemCronJobs = let
      cron_script = pkgs.runCommand "cron_script" {
        buildInputs = [ pkgs.makeWrapper ];
      } ''
        mkdir -p $out
        cp ${./scan_reported_mails} $out/scan_reported_mails
        patchShebangs $out
        for i in $out/*; do
          wrapProgram "$i" --prefix PATH : ${lib.makeBinPath [ pkgs.coreutils pkgs.rspamd pkgs.flock ]}
        done
        '';
    in
      [ "*/20 * * * * vhost ${cron_script}/scan_reported_mails" ];

    systemd.services.rspamd.serviceConfig.Slice = "mail.slice";
    systemd.services.rspamd.serviceConfig.SupplementaryGroups = [ "vhost" ];
    services.rspamd = {
      enable = true;
      debug = false;
      overrides = {
        "actions.conf".text = ''
          reject = null;
          add_header = 6;
          greylist = null;
          '';
        "milter_headers.conf".text = ''
          extended_spam_headers = true;
        '';
      };
      locals = {
        "composites.conf".text = ''
          # Local delivered e-mails have both SMTP AUTH and only one Received
          "LOCAL_DELIVERED_EMAILS" = {
            expression = "RCVD_VIA_SMTP_AUTH and ONCE_RECEIVED";
            score = -10.0;
          }
        '';
        "redis.conf".text = ''
          servers = "${config.myEnv.mail.rspamd.redis.socket}";
          db = "${config.myEnv.mail.rspamd.redis.db}";
          '';
        "classifier-bayes.conf".text = ''
          users_enabled = true;
          backend = "redis";
          servers = "${config.myEnv.mail.rspamd.redis.socket}";
          database = "${config.myEnv.mail.rspamd.redis.db}";
          autolearn = true;
          cache {
            backend = "redis";
          }
          new_schema = true;
          statfile {
            BAYES_HAM {
              spam = false;
            }
            BAYES_SPAM {
              spam = true;
            }
          }
          '';
      };
      workers = {
        controller = {
          extraConfig = ''
            enable_password = "${config.myEnv.mail.rspamd.write_password_hashed}";
            password = "${config.myEnv.mail.rspamd.read_password_hashed}";
          '';
          bindSockets = [ {
            socket = config.myServices.mail.rspamd.sockets.worker-controller;
            mode = "0660";
            owner = config.services.rspamd.user;
            group = "vhost";
          } ];
        };
      };
      postfix = {
        enable = true;
        config = {};
      };
    };
  };
}
Commit	Line	Data
ab8f306d	1	{ lib, pkgs, config, ... }:
a929614f IB	2	{
	3	options.myServices.mail.rspamd.sockets = lib.mkOption {
	4	type = lib.types.attrsOf lib.types.path;
	5	default = {
	6	worker-controller = "/run/rspamd/worker-controller.sock";
	7	};
	8	readOnly = true;
	9	description = ''
	10	rspamd sockets
	11	'';
	12	};
8415083e	13	config = lib.mkIf config.myServices.mail.enable {
8415083e IB	14	services.cron.systemCronJobs = let
	15	cron_script = pkgs.runCommand "cron_script" {
	16	buildInputs = [ pkgs.makeWrapper ];
	17	} ''
	18	mkdir -p $out
	19	cp ${./scan_reported_mails} $out/scan_reported_mails
	20	patchShebangs $out
	21	for i in $out/*; do
	22	wrapProgram "$i" --prefix PATH : ${lib.makeBinPath [ pkgs.coreutils pkgs.rspamd pkgs.flock ]}
	23	done
a929614f	24	'';
8415083e IB	25	in
	26	[ "/20 * * * vhost ${cron_script}/scan_reported_mails" ];
	27
850adcf4	28	systemd.services.rspamd.serviceConfig.Slice = "mail.slice";
1a64deeb	29	systemd.services.rspamd.serviceConfig.SupplementaryGroups = [ "vhost" ];
8415083e IB	30	services.rspamd = {
8415083e IB	31	enable = true;
34a16461	32	debug = false;
8415083e IB	33	overrides = {
	34	"actions.conf".text = ''
	35	reject = null;
	36	add_header = 6;
	37	greylist = null;
	38	'';
	39	"milter_headers.conf".text = ''
	40	extended_spam_headers = true;
a929614f	41	'';
8415083e IB	42	};
8415083e IB	43	locals = {
e612b869 IB	44	"composites.conf".text = ''
	45	# Local delivered e-mails have both SMTP AUTH and only one Received
	46	"LOCAL_DELIVERED_EMAILS" = {
	47	expression = "RCVD_VIA_SMTP_AUTH and ONCE_RECEIVED";
	48	score = -10.0;
	49	}
	50	'';
8415083e	51	"redis.conf".text = ''
ab8f306d IB	52	servers = "${config.myEnv.mail.rspamd.redis.socket}";
ab8f306d IB	53	db = "${config.myEnv.mail.rspamd.redis.db}";
8415083e IB	54	'';
	55	"classifier-bayes.conf".text = ''
	56	users_enabled = true;
a929614f	57	backend = "redis";
ab8f306d IB	58	servers = "${config.myEnv.mail.rspamd.redis.socket}";
ab8f306d IB	59	database = "${config.myEnv.mail.rspamd.redis.db}";
8415083e IB	60	autolearn = true;
	61	cache {
	62	backend = "redis";
a929614f	63	}
8415083e IB	64	new_schema = true;
	65	statfile {
	66	BAYES_HAM {
	67	spam = false;
	68	}
	69	BAYES_SPAM {
	70	spam = true;
	71	}
a929614f	72	}
8415083e IB	73	'';
	74	};
	75	workers = {
	76	controller = {
	77	extraConfig = ''
ab8f306d IB	78	enable_password = "${config.myEnv.mail.rspamd.write_password_hashed}";
ab8f306d IB	79	password = "${config.myEnv.mail.rspamd.read_password_hashed}";
8415083e IB	80	'';
	81	bindSockets = [ {
	82	socket = config.myServices.mail.rspamd.sockets.worker-controller;
	83	mode = "0660";
	84	owner = config.services.rspamd.user;
	85	group = "vhost";
	86	} ];
	87	};
	88	};
	89	postfix = {
	90	enable = true;
	91	config = {};
a929614f	92	};
a929614f IB	93	};
	94	};
	95	}