modules/private/mail/rspamd.nix

   1 { lib, pkgs, config, ... }:
   2 {
   3   options.myServices.mail.rspamd.sockets = lib.mkOption {
   4     type = lib.types.attrsOf lib.types.path;
   5     default = {
   6       worker-controller = "/run/rspamd/worker-controller.sock";
   7     };
   8     readOnly = true;
   9     description = ''
  10       rspamd sockets
  11       '';
  12   };
  13   config = lib.mkIf config.myServices.mail.enable {
  14     services.duplyBackup.profiles.mail.excludeFile = ''
  15       + /var/lib/rspamd
  16       '';
  17     services.cron.systemCronJobs = let
  18       cron_script = pkgs.runCommand "cron_script" {
  19         buildInputs = [ pkgs.makeWrapper ];
  20       } ''
  21         mkdir -p $out
  22         cp ${./scan_reported_mails} $out/scan_reported_mails
  23         patchShebangs $out
  24         for i in $out/*; do
  25           wrapProgram "$i" --prefix PATH : ${lib.makeBinPath [ pkgs.coreutils pkgs.rspamd pkgs.flock ]}
  26         done
  27         '';
  28     in
  29       [ "*/20 * * * * vhost ${cron_script}/scan_reported_mails" ];
  30
  31     systemd.services.rspamd.serviceConfig.Slice = "mail.slice";
  32     services.rspamd = {
  33       enable = true;
  34       debug = false;
  35       overrides = {
  36         "actions.conf".text = ''
  37           reject = null;
  38           add_header = 6;
  39           greylist = null;
  40           '';
  41         "milter_headers.conf".text = ''
  42           extended_spam_headers = true;
  43         '';
  44       };
  45       locals = {
  46         "redis.conf".text = ''
  47           servers = "${config.myEnv.mail.rspamd.redis.socket}";
  48           db = "${config.myEnv.mail.rspamd.redis.db}";
  49           '';
  50         "classifier-bayes.conf".text = ''
  51           users_enabled = true;
  52           backend = "redis";
  53           servers = "${config.myEnv.mail.rspamd.redis.socket}";
  54           database = "${config.myEnv.mail.rspamd.redis.db}";
  55           autolearn = true;
  56           cache {
  57             backend = "redis";
  58           }
  59           new_schema = true;
  60           statfile {
  61             BAYES_HAM {
  62               spam = false;
  63             }
  64             BAYES_SPAM {
  65               spam = true;
  66             }
  67           }
  68           '';
  69       };
  70       workers = {
  71         controller = {
  72           extraConfig = ''
  73             enable_password = "${config.myEnv.mail.rspamd.write_password_hashed}";
  74             password = "${config.myEnv.mail.rspamd.read_password_hashed}";
  75           '';
  76           bindSockets = [ {
  77             socket = config.myServices.mail.rspamd.sockets.worker-controller;
  78             mode = "0660";
  79             owner = config.services.rspamd.user;
  80             group = "vhost";
  81           } ];
  82         };
  83       };
  84       postfix = {
  85         enable = true;
  86         config = {};
  87       };
  88     };
  89   };
  90 }