nixos-config/hosts/falkenstein/modules/mail/rspamd.nix

{ config, pkgs, ... }:
{
  users.users.rspamd.extraGroups = [ "redis-rspamd" ];
  services = {
    rspamd = {
      enable = true;
      postfix.enable = true;
      locals = {
        "worker-controller.inc".text = ''
          secure_ip = "0.0.0.0/0";
          bind_socket = "0.0.0.0:11334";
        '';
        "redis.conf".text = ''
          read_servers = "/run/redis-rspamd/redis.sock";
          write_servers = "/run/redis-rspamd/redis.sock";
        '';
        "milter_headers.conf".text = ''
          use = ["x-spam-level", "x-spam-status", "x-spamd-result", "authentication-results" ];
        '';
        "dmarc.conf".text = ''
          reporting {
            enabled = true;
            email = 'reports@${config.networking.domain}';
            domain = '${config.networking.domain}';
            org_name = '${config.networking.domain}';
            from_name = 'DMARC Aggregate Report';
          }
        '';
        "dkim_signing.conf".text = ''
          selector = "rspamd";
          allow_username_mismatch = true;
          path = /var/lib/rspamd/dkim/$domain.key;
        '';
      };
    };
    redis = {
      vmOverCommit = true;
      servers.rspamd = {
        enable = true;
      };
    };
    caddy.virtualHosts."rspamd.${config.networking.domain}".extraConfig = ''

      # for some reason this only works with http and not with https so we send every request through our wireguard tunnel
      reverse_proxy /outpost.goauthentik.io/* http://nuc.vpn.rfive.de:9000 

      # forward authentication to authentik
      forward_auth http://nuc.vpn.rfive.de:9000 {
        uri /outpost.goauthentik.io/auth/caddy

        # capitalization of the headers is important, otherwise they will be empty
        copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
      }

      reverse_proxy 127.0.0.1:11334
    '';
  };
  networking.firewall.allowedTCPPorts = [ 11334 ];
  systemd = {
    services.rspamd-dmarc-report = {
      description = "rspamd dmarc reporter";
      serviceConfig = {
        Type = "oneshot";
        ExecStart = "${pkgs.rspamd}/bin/rspamadm dmarc_report -v";
        User = "rspamd";
        Group = "rspamd";
      };
      startAt = "daily";
    };
  };
}