aboutsummaryrefslogtreecommitdiff
path: root/systems/eldiron/mail/rspamd.nix
blob: 8a2b5f3348614a1bc7bef60d0ae161363689910f (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
{ lib, pkgs, config, ... }:
{
  options.myServices.mail.rspamd.sockets = lib.mkOption {
    type = lib.types.attrsOf lib.types.path;
    default = {
      worker-controller = "/run/rspamd/worker-controller.sock";
    };
    readOnly = true;
    description = ''
      rspamd sockets
      '';
  };
  config = lib.mkIf config.myServices.mail.enable {
    services.cron.systemCronJobs = let
      cron_script = pkgs.runCommand "cron_script" {
        buildInputs = [ pkgs.makeWrapper ];
      } ''
        mkdir -p $out
        cp ${./scan_reported_mails} $out/scan_reported_mails
        patchShebangs $out
        for i in $out/*; do
          wrapProgram "$i" --prefix PATH : ${lib.makeBinPath [ pkgs.coreutils pkgs.rspamd pkgs.flock ]}
        done
        '';
    in
      [ "*/20 * * * * vhost ${cron_script}/scan_reported_mails" ];

    systemd.services.rspamd.serviceConfig.Slice = "mail.slice";
    systemd.services.rspamd.serviceConfig.SupplementaryGroups = [ "vhost" ];
    services.rspamd = {
      enable = true;
      debug = false;
      overrides = {
        "actions.conf".text = ''
          reject = null;
          add_header = 6;
          greylist = null;
          '';
        "milter_headers.conf".text = ''
          extended_spam_headers = true;
        '';
      };
      locals = {
        "composites.conf".text = ''
          # Local delivered e-mails have both SMTP AUTH and only one Received
          "LOCAL_DELIVERED_EMAILS" = {
            expression = "RCVD_VIA_SMTP_AUTH and ONCE_RECEIVED";
            score = -10.0;
          }
        '';
        "redis.conf".text = ''
          servers = "${config.myEnv.mail.rspamd.redis.socket}";
          db = "${config.myEnv.mail.rspamd.redis.db}";
          '';
        "classifier-bayes.conf".text = ''
          users_enabled = true;
          backend = "redis";
          servers = "${config.myEnv.mail.rspamd.redis.socket}";
          database = "${config.myEnv.mail.rspamd.redis.db}";
          autolearn = true;
          cache {
            backend = "redis";
          }
          new_schema = true;
          statfile {
            BAYES_HAM {
              spam = false;
            }
            BAYES_SPAM {
              spam = true;
            }
          }
          '';
      };
      workers = {
        controller = {
          extraConfig = ''
            enable_password = "${config.myEnv.mail.rspamd.write_password_hashed}";
            password = "${config.myEnv.mail.rspamd.read_password_hashed}";
          '';
          bindSockets = [ {
            socket = config.myServices.mail.rspamd.sockets.worker-controller;
            mode = "0660";
            owner = config.services.rspamd.user;
            group = "vhost";
          } ];
        };
      };
      postfix = {
        enable = true;
        config = {};
      };
    };
  };
}