nixos-config/hosts/falkenstein/modules/mail/rspamd.nix

{ config, pkgs, ... }:
{
  users.users.rspamd.extraGroups = [ "redis-rspamd" ];
  services = {
    rspamd = {
      enable = true;
      postfix.enable = true;
      locals = {
        "worker-controller.inc".text = ''
          secure_ip = "0.0.0.0/0";
          bind_socket = "0.0.0.0:11334";
        '';
        "redis.conf".text = ''
          read_servers = "/run/redis-rspamd/redis.sock";
          write_servers = "/run/redis-rspamd/redis.sock";
        '';
        "milter_headers.conf".text = ''
          use = ["x-spam-level", "x-spam-status", "x-spamd-result", "authentication-results" ];
        '';
        "dmarc.conf".text = ''
          reporting {
            enabled = true;
            email = 'reports@${config.networking.domain}';
            domain = '${config.networking.domain}';
            org_name = '${config.networking.domain}';
            from_name = 'DMARC Aggregate Report';
          }
        '';
        "dkim_signing.conf".text = ''
          selector = "rspamd";
          allow_username_mismatch = true;
          path = /var/lib/rspamd/dkim/$domain.key;
        '';
      };
    };
    redis = {
      vmOverCommit = true;
      servers.rspamd = {
        enable = true;
      };
    };
    caddy.virtualHosts."rspamd.${config.networking.domain}".extraConfig = ''

      # for some reason this only works with http and not with https so we send every request through our wireguard tunnel
      reverse_proxy /outpost.goauthentik.io/* http://nuc.vpn.rfive.de:9000 

      # forward authentication to authentik
      forward_auth http://nuc.vpn.rfive.de:9000 {
        uri /outpost.goauthentik.io/auth/caddy

        # capitalization of the headers is important, otherwise they will be empty
        copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
      }

      reverse_proxy 127.0.0.1:11334
    '';
  };
  networking.firewall.allowedTCPPorts = [ 11334 ];
  systemd = {
    services.rspamd-dmarc-report = {
      description = "rspamd dmarc reporter";
      serviceConfig = {
        Type = "oneshot";
        ExecStart = "${pkgs.rspamd}/bin/rspamadm dmarc_report -v";
        User = "rspamd";
        Group = "rspamd";
      };
      startAt = "daily";
    };
  };
}
mail: split into modules 2024-03-12 17:07:33 +01:00			`{ config, pkgs, ... }:`
			`{`
			`users.users.rspamd.extraGroups = [ "redis-rspamd" ];`
			`services = {`
			`rspamd = {`
			`enable = true;`
			`postfix.enable = true;`
			`locals = {`
			`"worker-controller.inc".text = ''`
rspamd: authenticate via sso 2024-05-24 00:22:19 +02:00			`secure_ip = "0.0.0.0/0";`
more monitoring 2024-05-31 14:51:58 +02:00			`bind_socket = "0.0.0.0:11334";`
mail: split into modules 2024-03-12 17:07:33 +01:00			`'';`
			`"redis.conf".text = ''`
			`read_servers = "/run/redis-rspamd/redis.sock";`
			`write_servers = "/run/redis-rspamd/redis.sock";`
			`'';`
			`"milter_headers.conf".text = ''`
			`use = ["x-spam-level", "x-spam-status", "x-spamd-result", "authentication-results" ];`
			`'';`
			`"dmarc.conf".text = ''`
			`reporting {`
			`enabled = true;`
			`email = 'reports@${config.networking.domain}';`
			`domain = '${config.networking.domain}';`
			`org_name = '${config.networking.domain}';`
			`from_name = 'DMARC Aggregate Report';`
			`}`
			`'';`
			`"dkim_signing.conf".text = ''`
			`selector = "rspamd";`
			`allow_username_mismatch = true;`
			`path = /var/lib/rspamd/dkim/$domain.key;`
			`'';`
			`};`
			`};`
			`redis = {`
			`vmOverCommit = true;`
			`servers.rspamd = {`
			`enable = true;`
			`};`
			`};`
falkenstein: switch to caddy 2024-05-23 15:44:49 +02:00			`caddy.virtualHosts."rspamd.${config.networking.domain}".extraConfig = ''`
rspamd: authenticate via sso 2024-05-24 00:22:19 +02:00
			`# for some reason this only works with http and not with https so we send every request through our wireguard tunnel`
			`reverse_proxy /outpost.goauthentik.io/* http://nuc.vpn.rfive.de:9000`

			`# forward authentication to authentik`
			`forward_auth http://nuc.vpn.rfive.de:9000 {`
			`uri /outpost.goauthentik.io/auth/caddy`

			`# capitalization of the headers is important, otherwise they will be empty`
			`copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version`
			`}`

falkenstein: switch to caddy 2024-05-23 15:44:49 +02:00			`reverse_proxy 127.0.0.1:11334`
			`'';`
mail: split into modules 2024-03-12 17:07:33 +01:00			`};`
more monitoring 2024-05-31 14:51:58 +02:00			`networking.firewall.allowedTCPPorts = [ 11334 ];`
mail: split into modules 2024-03-12 17:07:33 +01:00			`systemd = {`
			`services.rspamd-dmarc-report = {`
			`description = "rspamd dmarc reporter";`
			`serviceConfig = {`
			`Type = "oneshot";`
			`ExecStart = "${pkgs.rspamd}/bin/rspamadm dmarc_report -v";`
			`User = "rspamd";`
			`Group = "rspamd";`
			`};`
			`startAt = "daily";`
			`};`
			`};`
			`}`