nixos-config/config/services/rspamd.nix

{
  config,
  lib,
  pkgs,
  ...
}: {
  services = {
    # TODO: Antivirus

    rspamd = {
      enable = true;
      locals = {
        "dkim_signing.conf".text = ''
          domain {
            "darkkirb.de" {
              selector = "dkim";
              path = "${config.sops.secrets."services/rspamd/dkim/darkkirb.de".path}";
            }
            "miifox.net" {
              selector = "dkim";
              path = "${config.sops.secrets."services/rspamd/dkim/miifox.net".path}";
            }
            "chir.rs" {
              selector = "dkim";
              path = "${config.sops.secrets."services/rspamd/dkim/chir.rs".path}";
            }
          }
        '';
        "dmarc.conf".text = ''
          actions {
            reject = "reject";
            quarantine = "quarantine";
            softfail = "add_header";
          }
        '';
        "greylist.conf".text = ''
          greylist_min_score = 0;
        '';
        "hfilter.conf".text = ''
          helo_enabled = true;
          hostname_enabled = true;
          url_enabled = true;
          from_enabled = true;
          rcpt_enabled = true;
          mid_enabled = true;
        '';
        "history.conf".text = ''
          nrows = 1000;
          subject_privacy = true;
        '';
        "milter.conf".text = ''
          use = [
            "authentication-results"
            "fuzzy-hashes"
            "spam-header"
            "stat-signature"
            "x-rspamd-queue-id"
            "x-rspamd-result"
            "x-rspamd-server"
            "x-rspamd-bar"
            "x-spam-status"
          ];
        '';
        "mx_check.conf".text = ''
          enabled = true;
        '';
        "neural.conf".text = ''
          enabled = true;
          rules {
            LONG {
              train {
                max_trains = 5000;
                max_usages = 200;
                max_iterations = 25;
                learning_rate = 0.01;
              }
              symbol_spam = "NEURAL_SPAM_LONG";
              symbol_ham = "NEURAL_HAM_LONG";
              ann_expire = "365d";
            }
            SHORT {
              train {
                max_trains = 5000;
                max_usages = 2;
                max_iterations = 25;
                learning_rate = 0.01;
              }
              symbol_spam = "NEURAL_SPAM_SHORT";
              symbol_ham = "NEURAL_HAM_SHORT";
              ann_expire = "30d";
            }
          }
        '';
        "neural_group.conf".text = ''
          symbols {
            NEURAL_SPAM_LONG {
              weight = 3.0; # sample weight
              description = "Neural network spam (long)";
            }
            NEURAL_HAM_LONG {
              weight = -3.0; # sample weight
              description = "Neural network ham (long)";
            }
            NEURAL_SPAM_SHORT {
              weight = 2.0; # sample weight
              description = "Neural network spam (short)";
            }
            NEURAL_HAM_SHORT {
              weight = -1.0; # sample weight
              description = "Neural network ham (short)";
            }
          }
        '';
        "phishing.conf".text = ''
          openphish_enabled = true;
        '';
        "reputation.conf".text = ''
          rules {
            ip_reputation {
              selector.type = "ip";
              backend.type = "redis";
              symbol = "IP_REPUTATION";
            }
            spf_reputation {
              selector.type = "spf";
              backend.type = "redis";
              symbol = "SPF_REPUTATION";
            }
            dkim_reputation {
              selector.type = "dkim";
              backend.type = "redis";
              symbol = "DKIM_REPUTATION";
            }
            asn_reputation {
              selector.type = "generic";
              selector.selector = "asn";
              backend.type = "redis";
              symbol = "ASN_REPUTATION";
            }
            country_reputation {
              selector.type = "generic";
              selector.selector = "country";
              backend.type = "redis";
              symbol = "COUNTRY_REPUTATION";
            }
          }
        '';
        "replies.conf".text = ''
          expire = "7d";
          symbol = "REPLY";
        '';
        "redis.conf".text = ''
          servers = "${config.services.redis.servers.rspamd.bind}:${toString config.services.redis.servers.rspamd.port}";
        '';
        "worker-controller.inc".text = ''
          password = "$2$xkox1hi3so3y61no8ps1enx7p56nh51s$tp8fjciao1goswpcze6g9bb9sbx3mf3kbik1iznybgia36d78jnb";
        '';
      };
      workers = {
        rspamd_proxy = {
          includes = ["$CONFDIR/worker-proxy.inc"];
          bindSockets = ["*:11332"];
        };
        normal = {
          includes = ["$CONFDIR/worker-normal.inc"];
          bindSockets = ["*:11333"];
        };
        controller = {
          includes = ["$CONFDIR/worker-controller.inc"];
          bindSockets = ["*:11334"];
        };
      };
    };
    redis.servers.rspamd = {
      enable = true;
      bind = "127.0.0.1";
      databases = 1;
      port = 6380;
      settings = {
        maxmemory = "500mb";
        maxmemory-policy = "volatile-ttl";
      };
    };
    caddy.virtualHosts."rspamd.int.chir.rs" = {
      useACMEHost = "int.chir.rs";
      logFormat = pkgs.lib.mkForce "";
      extraConfig = ''
        import baseConfig

        reverse_proxy http://127.0.0.1:11334
      '';
    };
  };
  sops.secrets."services/rspamd/dkim/darkkirb.de" = {owner = "rspamd";};
  sops.secrets."services/rspamd/dkim/miifox.net" = {owner = "rspamd";};
  sops.secrets."services/rspamd/dkim/chir.rs" = {owner = "rspamd";};
  networking.firewall.interfaces."wg0".allowedTCPPorts = [
    11332
    11333
    11334
    7980
  ];
  services.prometheus.exporters.rspamd.enable = true;
}
and rspamd config 2022-04-28 14:35:32 +00:00			`{`
reformat repo 2022-06-12 15:39:15 +00:00			`config,`
			`lib,`
Add privacy policy for akko.chir.rs 2022-12-30 14:44:49 +00:00			`pkgs,`
reformat repo 2022-06-12 15:39:15 +00:00			`...`
			`}: {`
enable redis for rspamd 2022-04-28 11:44:32 +00:00			`services = {`
and rspamd config 2022-04-28 14:35:32 +00:00			`# TODO: Antivirus`

enable redis for rspamd 2022-04-28 11:44:32 +00:00			`rspamd = {`
			`enable = true;`
			`locals = {`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`"dkim_signing.conf".text = ''`
			`domain {`
			`"darkkirb.de" {`
enable redis for rspamd 2022-04-28 11:44:32 +00:00			`selector = "dkim";`
			`path = "${config.sops.secrets."services/rspamd/dkim/darkkirb.de".path}";`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`}`
			`"miifox.net" {`
enable redis for rspamd 2022-04-28 11:44:32 +00:00			`selector = "dkim";`
			`path = "${config.sops.secrets."services/rspamd/dkim/miifox.net".path}";`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`}`
			`"chir.rs" {`
enable redis for rspamd 2022-04-28 11:44:32 +00:00			`selector = "dkim";`
			`path = "${config.sops.secrets."services/rspamd/dkim/chir.rs".path}";`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`}`
			`}`
			`'';`
			`"dmarc.conf".text = ''`
			`actions {`
and rspamd config 2022-04-28 14:35:32 +00:00			`reject = "reject";`
			`quarantine = "quarantine";`
			`softfail = "add_header";`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`}`
			`'';`
			`"greylist.conf".text = ''`
and rspamd config 2022-04-28 14:35:32 +00:00			`greylist_min_score = 0;`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`'';`
			`"hfilter.conf".text = ''`
and rspamd config 2022-04-28 14:35:32 +00:00			`helo_enabled = true;`
			`hostname_enabled = true;`
			`url_enabled = true;`
			`from_enabled = true;`
			`rcpt_enabled = true;`
			`mid_enabled = true;`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`'';`
			`"history.conf".text = ''`
and rspamd config 2022-04-28 14:35:32 +00:00			`nrows = 1000;`
			`subject_privacy = true;`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`'';`
			`"milter.conf".text = ''`
and rspamd config 2022-04-28 14:35:32 +00:00			`use = [`
			`"authentication-results"`
			`"fuzzy-hashes"`
			`"spam-header"`
			`"stat-signature"`
			`"x-rspamd-queue-id"`
			`"x-rspamd-result"`
			`"x-rspamd-server"`
			`"x-rspamd-bar"`
			`"x-spam-status"`
			`];`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`'';`
			`"mx_check.conf".text = ''`
and rspamd config 2022-04-28 14:35:32 +00:00			`enabled = true;`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`'';`
			`"neural.conf".text = ''`
and rspamd config 2022-04-28 14:35:32 +00:00			`enabled = true;`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`rules {`
			`LONG {`
			`train {`
and rspamd config 2022-04-28 14:35:32 +00:00			`max_trains = 5000;`
			`max_usages = 200;`
			`max_iterations = 25;`
			`learning_rate = 0.01;`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`}`
and rspamd config 2022-04-28 14:35:32 +00:00			`symbol_spam = "NEURAL_SPAM_LONG";`
			`symbol_ham = "NEURAL_HAM_LONG";`
			`ann_expire = "365d";`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`}`
			`SHORT {`
			`train {`
and rspamd config 2022-04-28 14:35:32 +00:00			`max_trains = 5000;`
			`max_usages = 2;`
			`max_iterations = 25;`
			`learning_rate = 0.01;`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`}`
and rspamd config 2022-04-28 14:35:32 +00:00			`symbol_spam = "NEURAL_SPAM_SHORT";`
			`symbol_ham = "NEURAL_HAM_SHORT";`
			`ann_expire = "30d";`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`}`
			`}`
			`'';`
			`"neural_group.conf".text = ''`
			`symbols {`
			`NEURAL_SPAM_LONG {`
			`weight = 3.0; # sample weight`
			`description = "Neural network spam (long)";`
			`}`
			`NEURAL_HAM_LONG {`
			`weight = -3.0; # sample weight`
			`description = "Neural network ham (long)";`
			`}`
			`NEURAL_SPAM_SHORT {`
			`weight = 2.0; # sample weight`
			`description = "Neural network spam (short)";`
			`}`
			`NEURAL_HAM_SHORT {`
			`weight = -1.0; # sample weight`
			`description = "Neural network ham (short)";`
			`}`
			`}`
			`'';`
			`"phishing.conf".text = ''`
and rspamd config 2022-04-28 14:35:32 +00:00			`openphish_enabled = true;`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`'';`
			`"reputation.conf".text = ''`
			`rules {`
			`ip_reputation {`
and rspamd config 2022-04-28 14:35:32 +00:00			`selector.type = "ip";`
			`backend.type = "redis";`
			`symbol = "IP_REPUTATION";`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`}`
			`spf_reputation {`
and rspamd config 2022-04-28 14:35:32 +00:00			`selector.type = "spf";`
			`backend.type = "redis";`
			`symbol = "SPF_REPUTATION";`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`}`
			`dkim_reputation {`
and rspamd config 2022-04-28 14:35:32 +00:00			`selector.type = "dkim";`
			`backend.type = "redis";`
			`symbol = "DKIM_REPUTATION";`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`}`
			`asn_reputation {`
and rspamd config 2022-04-28 14:35:32 +00:00			`selector.type = "generic";`
			`selector.selector = "asn";`
			`backend.type = "redis";`
			`symbol = "ASN_REPUTATION";`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`}`
			`country_reputation {`
and rspamd config 2022-04-28 14:35:32 +00:00			`selector.type = "generic";`
			`selector.selector = "country";`
			`backend.type = "redis";`
			`symbol = "COUNTRY_REPUTATION";`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`}`
			`}`
			`'';`
			`"replies.conf".text = ''`
and rspamd config 2022-04-28 14:35:32 +00:00			`expire = "7d";`
			`symbol = "REPLY";`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`'';`
			`"redis.conf".text = ''`
services.redis.rspamd -> services.redis.servers.rspamd 2022-04-28 20:23:33 +00:00			`servers = "${config.services.redis.servers.rspamd.bind}:${toString config.services.redis.servers.rspamd.port}";`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`'';`
protect the controller with a password 2022-04-29 13:28:35 +00:00			`"worker-controller.inc".text = ''`
			`password = "$2$xkox1hi3so3y61no8ps1enx7p56nh51s$tp8fjciao1goswpcze6g9bb9sbx3mf3kbik1iznybgia36d78jnb";`
			`'';`
listen to rspamd on :11332 2022-04-27 10:30:34 +00:00			`};`
enable redis for rspamd 2022-04-28 11:44:32 +00:00			`workers = {`
fix the name (proxy -> rspamd_proxy) 2022-04-29 13:25:42 +00:00			`rspamd_proxy = {`
reformat repo 2022-06-12 15:39:15 +00:00			`includes = ["$CONFDIR/worker-proxy.inc"];`
			`bindSockets = ["*:11332"];`
use the proxy worker 2022-04-29 13:23:45 +00:00			`};`
enable redis for rspamd 2022-04-28 11:44:32 +00:00			`normal = {`
reformat repo 2022-06-12 15:39:15 +00:00			`includes = ["$CONFDIR/worker-normal.inc"];`
			`bindSockets = ["*:11333"];`
enable redis for rspamd 2022-04-28 11:44:32 +00:00			`};`
			`controller = {`
reformat repo 2022-06-12 15:39:15 +00:00			`includes = ["$CONFDIR/worker-controller.inc"];`
			`bindSockets = ["*:11334"];`
enable redis for rspamd 2022-04-28 11:44:32 +00:00			`};`
add the controller worker 2022-04-27 10:37:49 +00:00			`};`
listen to rspamd on :11332 2022-04-27 10:30:34 +00:00			`};`
enable redis for rspamd 2022-04-28 11:44:32 +00:00			`redis.servers.rspamd = {`
			`enable = true;`
			`bind = "127.0.0.1";`
			`databases = 1;`
			`port = 6380;`
and rspamd config 2022-04-28 14:35:32 +00:00			`settings = {`
			`maxmemory = "500mb";`
			`maxmemory-policy = "volatile-ttl";`
			`};`
enable redis for rspamd 2022-04-28 11:44:32 +00:00			`};`
switch to caddy 2022-08-26 15:28:14 +00:00			`caddy.virtualHosts."rspamd.int.chir.rs" = {`
			`useACMEHost = "int.chir.rs";`
fix caddy log config 2022-12-30 13:03:57 +00:00			`logFormat = pkgs.lib.mkForce "";`
switch to caddy 2022-08-26 15:28:14 +00:00			`extraConfig = ''`
			`import baseConfig`

			`reverse_proxy http://127.0.0.1:11334`
			`'';`
reformat repo 2022-06-12 15:39:15 +00:00			`};`
add the most basic-ass rspamd config possible 2022-04-21 07:47:22 +00:00			`};`
reformat repo 2022-06-12 15:39:15 +00:00			`sops.secrets."services/rspamd/dkim/darkkirb.de" = {owner = "rspamd";};`
			`sops.secrets."services/rspamd/dkim/miifox.net" = {owner = "rspamd";};`
			`sops.secrets."services/rspamd/dkim/chir.rs" = {owner = "rspamd";};`
integrate rspamd with postfix 2022-04-28 14:37:09 +00:00			`networking.firewall.interfaces."wg0".allowedTCPPorts = [`
			`11332`
use the proxy worker 2022-04-29 13:23:45 +00:00			`11333`
integrate rspamd with postfix 2022-04-28 14:37:09 +00:00			`11334`
fix up all the metrics 2022-05-03 09:31:27 +00:00			`7980`
integrate rspamd with postfix 2022-04-28 14:37:09 +00:00			`];`
fix up all the metrics 2022-05-03 09:31:27 +00:00			`services.prometheus.exporters.rspamd.enable = true;`
add the most basic-ass rspamd config possible 2022-04-21 07:47:22 +00:00			`}`