{ config, pkgs, ... }:
{
users.users.rspamd.extraGroups = [ "redis-rspamd" ];
services = {
rspamd = {
enable = true;
postfix.enable = true;
locals = {
"worker-controller.inc".text = ''
secure_ip = [ "0.0.0.0/0", "::/0"];
bind_socket = "0.0.0.0:11334";
'';
"redis.conf".text = ''
read_servers = "/run/redis-rspamd/redis.sock";
write_servers = "/run/redis-rspamd/redis.sock";
'';
"milter_headers.conf".text = ''
use = ["x-spam-level", "x-spam-status", "x-spamd-result", "authentication-results" ];
'';
"dmarc.conf".text = ''
reporting {
enabled = true;
email = 'reports@${config.networking.domain}';
domain = '${config.networking.domain}';
org_name = '${config.networking.domain}';
from_name = 'DMARC Aggregate Report';
}
'';
"dkim_signing.conf".text = ''
selector = "rspamd";
allow_username_mismatch = true;
path = /var/lib/rspamd/dkim/$domain.key;
'';
"reputation.conf".text = ''
rules {
ip_reputation = {
selector "ip" {
}
backend "redis" {
servers = "/run/redis-rspamd/redis.sock";
}
symbol = "IP_REPUTATION";
}
spf_reputation = {
selector "spf" {
}
backend "redis" {
servers = "/run/redis-rspamd/redis.sock";
}
symbol = "SPF_REPUTATION";
}
dkim_reputation = {
selector "dkim" {
}
backend "redis" {
servers = "/run/redis-rspamd/redis.sock";
}
symbol = "DKIM_REPUTATION"; # Also adjusts scores for DKIM_ALLOW, DKIM_REJECT
}
generic_reputation = {
selector "generic" {
selector = "ip"; # see https://rspamd.com/doc/configuration/selectors.html
}
backend "redis" {
servers = "/run/redis-rspamd/redis.sock";
}
symbol = "GENERIC_REPUTATION";
}
}
'';
"groups.conf".text = ''
group "reputation" {
symbols = {
"IP_REPUTATION_HAM" {
weight = 1.0;
}
"IP_REPUTATION_SPAM" {
weight = 4.0;
}
"DKIM_REPUTATION" {
weight = 1.0;
}
"SPF_REPUTATION_HAM" {
weight = 1.0;
}
"SPF_REPUTATION_SPAM" {
weight = 2.0;
}
"GENERIC_REPUTATION" {
weight = 1.0;
}
}
}
'';
};
};
redis = {
vmOverCommit = true;
servers.rspamd = {
enable = true;
};
};
caddy.virtualHosts."rspamd.${config.networking.domain}".extraConfig = ''
# for some reason this only works with http and not with https so we send every request through our wireguard tunnel
reverse_proxy /outpost.goauthentik.io/* http://nuc.vpn.rfive.de:9000
# forward authentication to authentik
forward_auth http://nuc.vpn.rfive.de:9000 {
uri /outpost.goauthentik.io/auth/caddy
# capitalization of the headers is important, otherwise they will be empty
copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
}
reverse_proxy 127.0.0.1:11334
'';
};
networking.firewall.allowedTCPPorts = [ 11334 ];
systemd = {
services.rspamd-dmarc-report = {
description = "rspamd dmarc reporter";
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.rspamd}/bin/rspamadm dmarc_report -v";
User = "rspamd";
Group = "rspamd";
};
startAt = "daily";
};
};
}