nixos-config/config/services/rspamd.nix

205 lines
6 KiB
Nix
Raw Normal View History

2022-04-28 14:35:32 +00:00
{ config, lib, ... }:
{
2022-04-28 11:44:32 +00:00
services = {
2022-04-28 14:35:32 +00:00
# TODO: Antivirus
2022-04-28 11:44:32 +00:00
rspamd = {
enable = true;
locals = {
"dkim_signing.conf".text = ''
domain {
"darkkirb.de" {
2022-04-28 11:44:32 +00:00
selector = "dkim";
path = "${config.sops.secrets."services/rspamd/dkim/darkkirb.de".path}";
}
"miifox.net" {
2022-04-28 11:44:32 +00:00
selector = "dkim";
path = "${config.sops.secrets."services/rspamd/dkim/miifox.net".path}";
}
"chir.rs" {
2022-04-28 11:44:32 +00:00
selector = "dkim";
path = "${config.sops.secrets."services/rspamd/dkim/chir.rs".path}";
}
}
'';
"dmarc.conf".text = ''
actions {
2022-04-28 14:35:32 +00:00
reject = "reject";
quarantine = "quarantine";
softfail = "add_header";
}
'';
"greylist.conf".text = ''
2022-04-28 14:35:32 +00:00
greylist_min_score = 0;
'';
"hfilter.conf".text = ''
2022-04-28 14:35:32 +00:00
helo_enabled = true;
hostname_enabled = true;
url_enabled = true;
from_enabled = true;
rcpt_enabled = true;
mid_enabled = true;
'';
"history.conf".text = ''
2022-04-28 14:35:32 +00:00
nrows = 1000;
subject_privacy = true;
'';
"milter.conf".text = ''
2022-04-28 14:35:32 +00:00
use = [
"authentication-results"
"fuzzy-hashes"
"spam-header"
"stat-signature"
"x-rspamd-queue-id"
"x-rspamd-result"
"x-rspamd-server"
"x-rspamd-bar"
"x-spam-status"
];
'';
"mx_check.conf".text = ''
2022-04-28 14:35:32 +00:00
enabled = true;
'';
"neural.conf".text = ''
2022-04-28 14:35:32 +00:00
enabled = true;
rules {
LONG {
train {
2022-04-28 14:35:32 +00:00
max_trains = 5000;
max_usages = 200;
max_iterations = 25;
learning_rate = 0.01;
}
2022-04-28 14:35:32 +00:00
symbol_spam = "NEURAL_SPAM_LONG";
symbol_ham = "NEURAL_HAM_LONG";
ann_expire = "365d";
}
SHORT {
train {
2022-04-28 14:35:32 +00:00
max_trains = 5000;
max_usages = 2;
max_iterations = 25;
learning_rate = 0.01;
}
2022-04-28 14:35:32 +00:00
symbol_spam = "NEURAL_SPAM_SHORT";
symbol_ham = "NEURAL_HAM_SHORT";
ann_expire = "30d";
}
}
'';
"neural_group.conf".text = ''
symbols {
NEURAL_SPAM_LONG {
weight = 3.0; # sample weight
description = "Neural network spam (long)";
}
NEURAL_HAM_LONG {
weight = -3.0; # sample weight
description = "Neural network ham (long)";
}
NEURAL_SPAM_SHORT {
weight = 2.0; # sample weight
description = "Neural network spam (short)";
}
NEURAL_HAM_SHORT {
weight = -1.0; # sample weight
description = "Neural network ham (short)";
}
}
'';
"phishing.conf".text = ''
2022-04-28 14:35:32 +00:00
openphish_enabled = true;
'';
"reputation.conf".text = ''
rules {
ip_reputation {
2022-04-28 14:35:32 +00:00
selector.type = "ip";
backend.type = "redis";
symbol = "IP_REPUTATION";
}
spf_reputation {
2022-04-28 14:35:32 +00:00
selector.type = "spf";
backend.type = "redis";
symbol = "SPF_REPUTATION";
}
dkim_reputation {
2022-04-28 14:35:32 +00:00
selector.type = "dkim";
backend.type = "redis";
symbol = "DKIM_REPUTATION";
}
asn_reputation {
2022-04-28 14:35:32 +00:00
selector.type = "generic";
selector.selector = "asn";
backend.type = "redis";
symbol = "ASN_REPUTATION";
}
country_reputation {
2022-04-28 14:35:32 +00:00
selector.type = "generic";
selector.selector = "country";
backend.type = "redis";
symbol = "COUNTRY_REPUTATION";
}
}
'';
"replies.conf".text = ''
2022-04-28 14:35:32 +00:00
expire = "7d";
symbol = "REPLY";
'';
"redis.conf".text = ''
servers = "${config.services.redis.servers.rspamd.bind}:${toString config.services.redis.servers.rspamd.port}";
'';
2022-04-27 10:30:34 +00:00
};
2022-04-28 11:44:32 +00:00
workers = {
2022-04-29 13:23:45 +00:00
proxy = {
includes = [ "$CONFDIR/worker-proxy.inc" ];
bindSockets = [ "*:11332" ];
};
2022-04-28 11:44:32 +00:00
normal = {
includes = [ "$CONFDIR/worker-normal.inc" ];
2022-04-29 13:23:45 +00:00
bindSockets = [ "*:11333" ];
2022-04-28 11:44:32 +00:00
};
controller = {
includes = [ "$CONFDIR/worker-controller.inc" ];
bindSockets = [ "*:11334" ];
};
2022-04-27 10:37:49 +00:00
};
2022-04-28 11:44:32 +00:00
2022-04-27 10:30:34 +00:00
};
2022-04-28 11:44:32 +00:00
redis.servers.rspamd = {
enable = true;
bind = "127.0.0.1";
databases = 1;
port = 6380;
2022-04-28 14:35:32 +00:00
settings = {
maxmemory = "500mb";
maxmemory-policy = "volatile-ttl";
};
2022-04-28 11:44:32 +00:00
};
nginx.virtualHosts."rspamd.int.chir.rs" =
let
listenIPs = (import ../../utils/getInternalIP.nix config).listenIPs;
listenStatements = lib.concatStringsSep "\n" (builtins.map (ip: "listen ${ip}:443 http3;") listenIPs) + ''
add_header Alt-Svc 'h3=":443"';
'';
in
{
listenAddresses = listenIPs;
sslCertificate = "/var/lib/acme/int.chir.rs/cert.pem";
sslCertificateKey = "/var/lib/acme/int.chir.rs/key.pem";
locations."/" = {
proxyPass = "http://127.0.0.1:11334/";
proxyWebsockets = true;
};
};
};
sops.secrets."services/rspamd/dkim/darkkirb.de" = { owner = "rspamd"; };
sops.secrets."services/rspamd/dkim/miifox.net" = { owner = "rspamd"; };
sops.secrets."services/rspamd/dkim/chir.rs" = { owner = "rspamd"; };
2022-04-28 14:35:32 +00:00
networking.nameservers = lib.mkForce [ "fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49" ];
2022-04-28 14:37:09 +00:00
networking.firewall.interfaces."wg0".allowedTCPPorts = [
11332
2022-04-29 13:23:45 +00:00
11333
2022-04-28 14:37:09 +00:00
11334
];
}