{ config, pkgs, ... }: { users.users.rspamd.extraGroups = [ "redis-rspamd" ]; services = { rspamd = { enable = true; postfix.enable = true; locals = { "worker-controller.inc".text = '' secure_ip = "0.0.0.0/0"; ''; "redis.conf".text = '' read_servers = "/run/redis-rspamd/redis.sock"; write_servers = "/run/redis-rspamd/redis.sock"; ''; "milter_headers.conf".text = '' use = ["x-spam-level", "x-spam-status", "x-spamd-result", "authentication-results" ]; ''; "dmarc.conf".text = '' reporting { enabled = true; email = 'reports@${config.networking.domain}'; domain = '${config.networking.domain}'; org_name = '${config.networking.domain}'; from_name = 'DMARC Aggregate Report'; } ''; "dkim_signing.conf".text = '' selector = "rspamd"; allow_username_mismatch = true; path = /var/lib/rspamd/dkim/$domain.key; ''; }; }; redis = { vmOverCommit = true; servers.rspamd = { enable = true; }; }; caddy.virtualHosts."rspamd.${config.networking.domain}".extraConfig = '' # for some reason this only works with http and not with https so we send every request through our wireguard tunnel reverse_proxy /outpost.goauthentik.io/* http://nuc.vpn.rfive.de:9000 # forward authentication to authentik forward_auth http://nuc.vpn.rfive.de:9000 { uri /outpost.goauthentik.io/auth/caddy # capitalization of the headers is important, otherwise they will be empty copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version } reverse_proxy 127.0.0.1:11334 ''; }; systemd = { services.rspamd-dmarc-report = { description = "rspamd dmarc reporter"; serviceConfig = { Type = "oneshot"; ExecStart = "${pkgs.rspamd}/bin/rspamadm dmarc_report -v"; User = "rspamd"; Group = "rspamd"; }; startAt = "daily"; }; }; }