nixos-config/config/services/rspamd.nix

204 lines
5.8 KiB
Nix
Raw Normal View History

2022-04-28 14:35:32 +00:00
{
2022-06-12 15:39:15 +00:00
config,
lib,
...
}: {
2022-04-28 11:44:32 +00:00
services = {
2022-04-28 14:35:32 +00:00
# TODO: Antivirus
2022-04-28 11:44:32 +00:00
rspamd = {
enable = true;
locals = {
"dkim_signing.conf".text = ''
domain {
"darkkirb.de" {
2022-04-28 11:44:32 +00:00
selector = "dkim";
path = "${config.sops.secrets."services/rspamd/dkim/darkkirb.de".path}";
}
"miifox.net" {
2022-04-28 11:44:32 +00:00
selector = "dkim";
path = "${config.sops.secrets."services/rspamd/dkim/miifox.net".path}";
}
"chir.rs" {
2022-04-28 11:44:32 +00:00
selector = "dkim";
path = "${config.sops.secrets."services/rspamd/dkim/chir.rs".path}";
}
}
'';
"dmarc.conf".text = ''
actions {
2022-04-28 14:35:32 +00:00
reject = "reject";
quarantine = "quarantine";
softfail = "add_header";
}
'';
"greylist.conf".text = ''
2022-04-28 14:35:32 +00:00
greylist_min_score = 0;
'';
"hfilter.conf".text = ''
2022-04-28 14:35:32 +00:00
helo_enabled = true;
hostname_enabled = true;
url_enabled = true;
from_enabled = true;
rcpt_enabled = true;
mid_enabled = true;
'';
"history.conf".text = ''
2022-04-28 14:35:32 +00:00
nrows = 1000;
subject_privacy = true;
'';
"milter.conf".text = ''
2022-04-28 14:35:32 +00:00
use = [
"authentication-results"
"fuzzy-hashes"
"spam-header"
"stat-signature"
"x-rspamd-queue-id"
"x-rspamd-result"
"x-rspamd-server"
"x-rspamd-bar"
"x-spam-status"
];
'';
"mx_check.conf".text = ''
2022-04-28 14:35:32 +00:00
enabled = true;
'';
"neural.conf".text = ''
2022-04-28 14:35:32 +00:00
enabled = true;
rules {
LONG {
train {
2022-04-28 14:35:32 +00:00
max_trains = 5000;
max_usages = 200;
max_iterations = 25;
learning_rate = 0.01;
}
2022-04-28 14:35:32 +00:00
symbol_spam = "NEURAL_SPAM_LONG";
symbol_ham = "NEURAL_HAM_LONG";
ann_expire = "365d";
}
SHORT {
train {
2022-04-28 14:35:32 +00:00
max_trains = 5000;
max_usages = 2;
max_iterations = 25;
learning_rate = 0.01;
}
2022-04-28 14:35:32 +00:00
symbol_spam = "NEURAL_SPAM_SHORT";
symbol_ham = "NEURAL_HAM_SHORT";
ann_expire = "30d";
}
}
'';
"neural_group.conf".text = ''
symbols {
NEURAL_SPAM_LONG {
weight = 3.0; # sample weight
description = "Neural network spam (long)";
}
NEURAL_HAM_LONG {
weight = -3.0; # sample weight
description = "Neural network ham (long)";
}
NEURAL_SPAM_SHORT {
weight = 2.0; # sample weight
description = "Neural network spam (short)";
}
NEURAL_HAM_SHORT {
weight = -1.0; # sample weight
description = "Neural network ham (short)";
}
}
'';
"phishing.conf".text = ''
2022-04-28 14:35:32 +00:00
openphish_enabled = true;
'';
"reputation.conf".text = ''
rules {
ip_reputation {
2022-04-28 14:35:32 +00:00
selector.type = "ip";
backend.type = "redis";
symbol = "IP_REPUTATION";
}
spf_reputation {
2022-04-28 14:35:32 +00:00
selector.type = "spf";
backend.type = "redis";
symbol = "SPF_REPUTATION";
}
dkim_reputation {
2022-04-28 14:35:32 +00:00
selector.type = "dkim";
backend.type = "redis";
symbol = "DKIM_REPUTATION";
}
asn_reputation {
2022-04-28 14:35:32 +00:00
selector.type = "generic";
selector.selector = "asn";
backend.type = "redis";
symbol = "ASN_REPUTATION";
}
country_reputation {
2022-04-28 14:35:32 +00:00
selector.type = "generic";
selector.selector = "country";
backend.type = "redis";
symbol = "COUNTRY_REPUTATION";
}
}
'';
"replies.conf".text = ''
2022-04-28 14:35:32 +00:00
expire = "7d";
symbol = "REPLY";
'';
"redis.conf".text = ''
servers = "${config.services.redis.servers.rspamd.bind}:${toString config.services.redis.servers.rspamd.port}";
'';
2022-04-29 13:28:35 +00:00
"worker-controller.inc".text = ''
password = "$2$xkox1hi3so3y61no8ps1enx7p56nh51s$tp8fjciao1goswpcze6g9bb9sbx3mf3kbik1iznybgia36d78jnb";
'';
2022-04-27 10:30:34 +00:00
};
2022-04-28 11:44:32 +00:00
workers = {
2022-04-29 13:25:42 +00:00
rspamd_proxy = {
2022-06-12 15:39:15 +00:00
includes = ["$CONFDIR/worker-proxy.inc"];
bindSockets = ["*:11332"];
2022-04-29 13:23:45 +00:00
};
2022-04-28 11:44:32 +00:00
normal = {
2022-06-12 15:39:15 +00:00
includes = ["$CONFDIR/worker-normal.inc"];
bindSockets = ["*:11333"];
2022-04-28 11:44:32 +00:00
};
controller = {
2022-06-12 15:39:15 +00:00
includes = ["$CONFDIR/worker-controller.inc"];
bindSockets = ["*:11334"];
2022-04-28 11:44:32 +00:00
};
2022-04-27 10:37:49 +00:00
};
2022-04-27 10:30:34 +00:00
};
2022-04-28 11:44:32 +00:00
redis.servers.rspamd = {
enable = true;
bind = "127.0.0.1";
databases = 1;
port = 6380;
2022-04-28 14:35:32 +00:00
settings = {
maxmemory = "500mb";
maxmemory-policy = "volatile-ttl";
};
2022-04-28 11:44:32 +00:00
};
2022-08-26 15:28:14 +00:00
caddy.virtualHosts."rspamd.int.chir.rs" = {
useACMEHost = "int.chir.rs";
extraConfig = ''
import baseConfig
reverse_proxy http://127.0.0.1:11334
'';
2022-06-12 15:39:15 +00:00
};
};
2022-06-12 15:39:15 +00:00
sops.secrets."services/rspamd/dkim/darkkirb.de" = {owner = "rspamd";};
sops.secrets."services/rspamd/dkim/miifox.net" = {owner = "rspamd";};
sops.secrets."services/rspamd/dkim/chir.rs" = {owner = "rspamd";};
networking.nameservers = lib.mkForce ["fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49"];
2022-04-28 14:37:09 +00:00
networking.firewall.interfaces."wg0".allowedTCPPorts = [
11332
2022-04-29 13:23:45 +00:00
11333
2022-04-28 14:37:09 +00:00
11334
2022-05-03 09:31:27 +00:00
7980
2022-04-28 14:37:09 +00:00
];
2022-05-03 09:31:27 +00:00
services.prometheus.exporters.rspamd.enable = true;
}