{ config, pkgs, ... }: { users.users.rspamd.extraGroups = [ "redis-rspamd" ]; services = { rspamd = { enable = true; postfix.enable = true; locals = { "worker-controller.inc".text = '' secure_ip = [ "0.0.0.0/0", "::/0"]; bind_socket = "0.0.0.0:11334"; ''; "redis.conf".text = '' read_servers = "/run/redis-rspamd/redis.sock"; write_servers = "/run/redis-rspamd/redis.sock"; ''; "milter_headers.conf".text = '' use = ["x-spam-level", "x-spam-status", "x-spamd-result", "authentication-results" ]; ''; "dmarc.conf".text = '' reporting { enabled = true; email = 'reports@${config.networking.domain}'; domain = '${config.networking.domain}'; org_name = '${config.networking.domain}'; from_name = 'DMARC Aggregate Report'; } ''; "dkim_signing.conf".text = '' selector = "rspamd"; allow_username_mismatch = true; path = /var/lib/rspamd/dkim/$domain.key; ''; "reputation.conf".text = '' rules { ip_reputation = { selector "ip" { } backend "redis" { servers = "/run/redis-rspamd/redis.sock"; } symbol = "IP_REPUTATION"; } spf_reputation = { selector "spf" { } backend "redis" { servers = "/run/redis-rspamd/redis.sock"; } symbol = "SPF_REPUTATION"; } dkim_reputation = { selector "dkim" { } backend "redis" { servers = "/run/redis-rspamd/redis.sock"; } symbol = "DKIM_REPUTATION"; # Also adjusts scores for DKIM_ALLOW, DKIM_REJECT } generic_reputation = { selector "generic" { selector = "ip"; # see https://rspamd.com/doc/configuration/selectors.html } backend "redis" { servers = "/run/redis-rspamd/redis.sock"; } symbol = "GENERIC_REPUTATION"; } } ''; "groups.conf".text = '' group "reputation" { symbols = { "IP_REPUTATION_HAM" { weight = 1.0; } "IP_REPUTATION_SPAM" { weight = 4.0; } "DKIM_REPUTATION" { weight = 1.0; } "SPF_REPUTATION_HAM" { weight = 1.0; } "SPF_REPUTATION_SPAM" { weight = 2.0; } "GENERIC_REPUTATION" { weight = 1.0; } } } ''; }; }; redis = { vmOverCommit = true; servers.rspamd = { enable = true; }; }; caddy.virtualHosts."rspamd.${config.networking.domain}".extraConfig = '' # for some reason this only works with http and not with https so we send every request through our wireguard tunnel reverse_proxy /outpost.goauthentik.io/* http://nuc.vpn.rfive.de:9000 # forward authentication to authentik forward_auth http://nuc.vpn.rfive.de:9000 { uri /outpost.goauthentik.io/auth/caddy # capitalization of the headers is important, otherwise they will be empty copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version } reverse_proxy 127.0.0.1:11334 ''; }; networking.firewall.allowedTCPPorts = [ 11334 ]; systemd = { services.rspamd-dmarc-report = { description = "rspamd dmarc reporter"; serviceConfig = { Type = "oneshot"; ExecStart = "${pkgs.rspamd}/bin/rspamadm dmarc_report -v"; User = "rspamd"; Group = "rspamd"; }; startAt = "daily"; }; }; }