129 lines
4 KiB
Nix
129 lines
4 KiB
Nix
{ config, lib, pkgs, ... }:
|
||
let
|
||
cfg = config.jalr.mailserver;
|
||
|
||
# Generate DKIM keys:
|
||
# nix shell nixpkgs#rspamd -c \
|
||
# rspamadm dkim_keygen -s default -d example.com -b 4096 -k /dev/shm/dkim.key > dkim.txt
|
||
|
||
dkimEnabledDomains = lib.filter (d: d.enableDKIM) cfg.domains;
|
||
dkimSignatureDir = pkgs.stdenvNoCC.mkDerivation {
|
||
name = "dkim-signatures";
|
||
dontUnpack = true;
|
||
installPhase = "mkdir $out" + "\n" + lib.concatStringsSep "\n" (
|
||
map
|
||
(
|
||
x: "ln -s " + config.sops.secrets."dkim-keys/${x.domain}.${x.DKIMSelector}".path + " $out/${x.domain}.${x.DKIMSelector}.key"
|
||
)
|
||
dkimEnabledDomains
|
||
);
|
||
};
|
||
in
|
||
{
|
||
options.jalr.mailserver.spam = {
|
||
enable = (lib.mkEnableOption "spam filtering") // { default = true; };
|
||
};
|
||
|
||
config = lib.mkIf (cfg.enable && cfg.spam.enable) {
|
||
sops.secrets = lib.attrsets.listToAttrs
|
||
(
|
||
map
|
||
(x:
|
||
{
|
||
name = "dkim-keys/${x.domain}.${x.DKIMSelector}";
|
||
value = {
|
||
owner = config.users.users.rspamd.name;
|
||
sopsFile = ../../hosts + "/${config.networking.hostName}/secrets.yaml";
|
||
};
|
||
}
|
||
)
|
||
dkimEnabledDomains
|
||
) // {
|
||
rspamd-worker-controller = {
|
||
owner = config.users.users.rspamd.name;
|
||
sopsFile = ../../hosts + "/${config.networking.hostName}/secrets.yaml";
|
||
};
|
||
};
|
||
|
||
services.rspamd = {
|
||
enable = true;
|
||
postfix.enable = true;
|
||
workers = {
|
||
normal = {
|
||
includes = [ "$CONFDIR/worker-normal.inc" ];
|
||
bindSockets = lib.singleton {
|
||
socket = "/run/rspamd/rspamd.sock";
|
||
mode = "0660";
|
||
owner = "${config.services.rspamd.user}";
|
||
group = "${config.services.rspamd.group}";
|
||
};
|
||
};
|
||
controller = {
|
||
includes = [ "$CONFDIR/worker-controller.inc" ];
|
||
bindSockets = [ "127.0.0.1:11334" ];
|
||
};
|
||
};
|
||
locals = {
|
||
"dkim_signing.conf".text = ''
|
||
enabled = true;
|
||
path = "${dkimSignatureDir}/$domain.$selector.key"
|
||
selector = "default";
|
||
allow_envfrom_empty = true;
|
||
allow_hdrfrom_mismatch = false;
|
||
allow_hdrfrom_multiple = false;
|
||
allow_username_mismatch = false;
|
||
sign_authenticated = true;
|
||
sign_local = true;
|
||
symbol = "DKIM_SIGNED";
|
||
try_fallback = true;
|
||
use_domain = "header";
|
||
use_esld = true;
|
||
use_redis = false;
|
||
key_prefix = "DKIM_KEYS";
|
||
check_pubkey = true;
|
||
allow_pubkey_mismatch = false;
|
||
'';
|
||
"logging.inc".text = ''
|
||
# starts at info, drops to notice once started up
|
||
level = "silent";
|
||
#debug_modules = ["dkim_signing"];
|
||
'';
|
||
"milter_headers.conf".text = ''
|
||
extended_spam_headers = true;
|
||
'';
|
||
"multimap.conf".text = ''
|
||
SENDER_BLOCKED {
|
||
type = "from";
|
||
filter = "email:addr";
|
||
map = "/var/lib/rspamd/blocked_senders.map";
|
||
symbol = "SENDER_BLOCKED";
|
||
description = "Sender’s address is manually blocked";
|
||
prefilter = true;
|
||
action = "reject";
|
||
score = 30.0;
|
||
}
|
||
SENDER_DOMAIN_BLOCKED {
|
||
type = "from";
|
||
filter = "email:domain:tld";
|
||
map = "/var/lib/rspamd/blocked_sender_domains.map";
|
||
symbol = "SENDER_DOMAIN_BLOCKED";
|
||
description = "Sender’s effective second level domain is manually blocked";
|
||
score = 8.0;
|
||
}
|
||
'';
|
||
"redis.conf".text = ''
|
||
servers = "127.0.0.1:${toString config.services.redis.servers.rspamd.port}"
|
||
'';
|
||
"worker-controller.inc".source = config.sops.secrets.rspamd-worker-controller.path; # includes password
|
||
};
|
||
};
|
||
|
||
services.redis = {
|
||
vmOverCommit = true;
|
||
servers.rspamd = {
|
||
enable = true;
|
||
port = 6379;
|
||
};
|
||
};
|
||
};
|
||
}
|