nixos-config/config/services/rspamd.nix

{ config, lib, ... }:
{
  services = {
    # TODO: Antivirus

    rspamd = {
      enable = true;
      locals = {
        "dkim_signing.conf".text = ''
          domain {
            "darkkirb.de" {
              selector = "dkim";
              path = "${config.sops.secrets."services/rspamd/dkim/darkkirb.de".path}";
            }
            "miifox.net" {
              selector = "dkim";
              path = "${config.sops.secrets."services/rspamd/dkim/miifox.net".path}";
            }
            "chir.rs" {
              selector = "dkim";
              path = "${config.sops.secrets."services/rspamd/dkim/chir.rs".path}";
            }
          }
        '';
        "dmarc.conf".text = ''
          actions {
            reject = "reject";
            quarantine = "quarantine";
            softfail = "add_header";
          }
        '';
        "greylist.conf".text = ''
          greylist_min_score = 0;
        '';
        "hfilter.conf".text = ''
          helo_enabled = true;
          hostname_enabled = true;
          url_enabled = true;
          from_enabled = true;
          rcpt_enabled = true;
          mid_enabled = true;
        '';
        "history.conf".text = ''
          nrows = 1000;
          subject_privacy = true;
        '';
        "milter.conf".text = ''
          use = [
            "authentication-results"
            "fuzzy-hashes"
            "spam-header"
            "stat-signature"
            "x-rspamd-queue-id"
            "x-rspamd-result"
            "x-rspamd-server"
            "x-rspamd-bar"
            "x-spam-status"
          ];
        '';
        "mx_check.conf".text = ''
          enabled = true;
        '';
        "neural.conf".text = ''
          enabled = true;
          rules {
            LONG {
              train {
                max_trains = 5000;
                max_usages = 200;
                max_iterations = 25;
                learning_rate = 0.01;
              }
              symbol_spam = "NEURAL_SPAM_LONG";
              symbol_ham = "NEURAL_HAM_LONG";
              ann_expire = "365d";
            }
            SHORT {
              train {
                max_trains = 5000;
                max_usages = 2;
                max_iterations = 25;
                learning_rate = 0.01;
              }
              symbol_spam = "NEURAL_SPAM_SHORT";
              symbol_ham = "NEURAL_HAM_SHORT";
              ann_expire = "30d";
            }
          }
        '';
        "neural_group.conf".text = ''
          symbols {
            NEURAL_SPAM_LONG {
              weight = 3.0; # sample weight
              description = "Neural network spam (long)";
            }
            NEURAL_HAM_LONG {
              weight = -3.0; # sample weight
              description = "Neural network ham (long)";
            }
            NEURAL_SPAM_SHORT {
              weight = 2.0; # sample weight
              description = "Neural network spam (short)";
            }
            NEURAL_HAM_SHORT {
              weight = -1.0; # sample weight
              description = "Neural network ham (short)";
            }
          }
        '';
        "phishing.conf".text = ''
          openphish_enabled = true;
        '';
        "reputation.conf".text = ''
          rules {
            ip_reputation {
              selector.type = "ip";
              backend.type = "redis";
              symbol = "IP_REPUTATION";
            }
            spf_reputation {
              selector.type = "spf";
              backend.type = "redis";
              symbol = "SPF_REPUTATION";
            }
            dkim_reputation {
              selector.type = "dkim";
              backend.type = "redis";
              symbol = "DKIM_REPUTATION";
            }
            asn_reputation {
              selector.type = "generic";
              selector.selector = "asn";
              backend.type = "redis";
              symbol = "ASN_REPUTATION";
            }
            country_reputation {
              selector.type = "generic";
              selector.selector = "country";
              backend.type = "redis";
              symbol = "COUNTRY_REPUTATION";
            }
          }
        '';
        "replies.conf".text = ''
          expire = "7d";
          symbol = "REPLY";
        '';
        "redis.conf".text = ''
          servers = "${config.services.redis.servers.rspamd.bind}:${toString config.services.redis.servers.rspamd.port}";
        '';
        "worker-controller.inc".text = ''
          password = "$2$xkox1hi3so3y61no8ps1enx7p56nh51s$tp8fjciao1goswpcze6g9bb9sbx3mf3kbik1iznybgia36d78jnb";
        '';
      };
      workers = {
        rspamd_proxy = {
          includes = [ "$CONFDIR/worker-proxy.inc" ];
          bindSockets = [ "*:11332" ];
        };
        normal = {
          includes = [ "$CONFDIR/worker-normal.inc" ];
          bindSockets = [ "*:11333" ];
        };
        controller = {
          includes = [ "$CONFDIR/worker-controller.inc" ];
          bindSockets = [ "*:11334" ];
        };
      };

    };
    redis.servers.rspamd = {
      enable = true;
      bind = "127.0.0.1";
      databases = 1;
      port = 6380;
      settings = {
        maxmemory = "500mb";
        maxmemory-policy = "volatile-ttl";
      };
    };
    nginx.virtualHosts."rspamd.int.chir.rs" =
      let
        listenIPs = (import ../../utils/getInternalIP.nix config).listenIPs;
        listenStatements = lib.concatStringsSep "\n" (builtins.map (ip: "listen ${ip}:443 http3;") listenIPs) + ''
          add_header Alt-Svc 'h3=":443"';
        '';
      in
      {
        listenAddresses = listenIPs;
        sslCertificate = "/var/lib/acme/int.chir.rs/cert.pem";
        sslCertificateKey = "/var/lib/acme/int.chir.rs/key.pem";
        locations."/" = {
          proxyPass = "http://127.0.0.1:11334/";
          proxyWebsockets = true;
        };
      };
  };
  sops.secrets."services/rspamd/dkim/darkkirb.de" = { owner = "rspamd"; };
  sops.secrets."services/rspamd/dkim/miifox.net" = { owner = "rspamd"; };
  sops.secrets."services/rspamd/dkim/chir.rs" = { owner = "rspamd"; };
  networking.nameservers = lib.mkForce [ "fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49" ];
  networking.firewall.interfaces."wg0".allowedTCPPorts = [
    11332
    11333
    11334
    7980
  ];
  services.prometheus.exporters.rspamd.enable = true;
}
and rspamd config 2022-04-28 14:35:32 +00:00			`{ config, lib, ... }:`
			`{`
enable redis for rspamd 2022-04-28 11:44:32 +00:00			`services = {`
and rspamd config 2022-04-28 14:35:32 +00:00			`# TODO: Antivirus`

enable redis for rspamd 2022-04-28 11:44:32 +00:00			`rspamd = {`
			`enable = true;`
			`locals = {`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`"dkim_signing.conf".text = ''`
			`domain {`
			`"darkkirb.de" {`
enable redis for rspamd 2022-04-28 11:44:32 +00:00			`selector = "dkim";`
			`path = "${config.sops.secrets."services/rspamd/dkim/darkkirb.de".path}";`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`}`
			`"miifox.net" {`
enable redis for rspamd 2022-04-28 11:44:32 +00:00			`selector = "dkim";`
			`path = "${config.sops.secrets."services/rspamd/dkim/miifox.net".path}";`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`}`
			`"chir.rs" {`
enable redis for rspamd 2022-04-28 11:44:32 +00:00			`selector = "dkim";`
			`path = "${config.sops.secrets."services/rspamd/dkim/chir.rs".path}";`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`}`
			`}`
			`'';`
			`"dmarc.conf".text = ''`
			`actions {`
and rspamd config 2022-04-28 14:35:32 +00:00			`reject = "reject";`
			`quarantine = "quarantine";`
			`softfail = "add_header";`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`}`
			`'';`
			`"greylist.conf".text = ''`
and rspamd config 2022-04-28 14:35:32 +00:00			`greylist_min_score = 0;`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`'';`
			`"hfilter.conf".text = ''`
and rspamd config 2022-04-28 14:35:32 +00:00			`helo_enabled = true;`
			`hostname_enabled = true;`
			`url_enabled = true;`
			`from_enabled = true;`
			`rcpt_enabled = true;`
			`mid_enabled = true;`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`'';`
			`"history.conf".text = ''`
and rspamd config 2022-04-28 14:35:32 +00:00			`nrows = 1000;`
			`subject_privacy = true;`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`'';`
			`"milter.conf".text = ''`
and rspamd config 2022-04-28 14:35:32 +00:00			`use = [`
			`"authentication-results"`
			`"fuzzy-hashes"`
			`"spam-header"`
			`"stat-signature"`
			`"x-rspamd-queue-id"`
			`"x-rspamd-result"`
			`"x-rspamd-server"`
			`"x-rspamd-bar"`
			`"x-spam-status"`
			`];`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`'';`
			`"mx_check.conf".text = ''`
and rspamd config 2022-04-28 14:35:32 +00:00			`enabled = true;`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`'';`
			`"neural.conf".text = ''`
and rspamd config 2022-04-28 14:35:32 +00:00			`enabled = true;`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`rules {`
			`LONG {`
			`train {`
and rspamd config 2022-04-28 14:35:32 +00:00			`max_trains = 5000;`
			`max_usages = 200;`
			`max_iterations = 25;`
			`learning_rate = 0.01;`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`}`
and rspamd config 2022-04-28 14:35:32 +00:00			`symbol_spam = "NEURAL_SPAM_LONG";`
			`symbol_ham = "NEURAL_HAM_LONG";`
			`ann_expire = "365d";`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`}`
			`SHORT {`
			`train {`
and rspamd config 2022-04-28 14:35:32 +00:00			`max_trains = 5000;`
			`max_usages = 2;`
			`max_iterations = 25;`
			`learning_rate = 0.01;`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`}`
and rspamd config 2022-04-28 14:35:32 +00:00			`symbol_spam = "NEURAL_SPAM_SHORT";`
			`symbol_ham = "NEURAL_HAM_SHORT";`
			`ann_expire = "30d";`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`}`
			`}`
			`'';`
			`"neural_group.conf".text = ''`
			`symbols {`
			`NEURAL_SPAM_LONG {`
			`weight = 3.0; # sample weight`
			`description = "Neural network spam (long)";`
			`}`
			`NEURAL_HAM_LONG {`
			`weight = -3.0; # sample weight`
			`description = "Neural network ham (long)";`
			`}`
			`NEURAL_SPAM_SHORT {`
			`weight = 2.0; # sample weight`
			`description = "Neural network spam (short)";`
			`}`
			`NEURAL_HAM_SHORT {`
			`weight = -1.0; # sample weight`
			`description = "Neural network ham (short)";`
			`}`
			`}`
			`'';`
			`"phishing.conf".text = ''`
and rspamd config 2022-04-28 14:35:32 +00:00			`openphish_enabled = true;`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`'';`
			`"reputation.conf".text = ''`
			`rules {`
			`ip_reputation {`
and rspamd config 2022-04-28 14:35:32 +00:00			`selector.type = "ip";`
			`backend.type = "redis";`
			`symbol = "IP_REPUTATION";`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`}`
			`spf_reputation {`
and rspamd config 2022-04-28 14:35:32 +00:00			`selector.type = "spf";`
			`backend.type = "redis";`
			`symbol = "SPF_REPUTATION";`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`}`
			`dkim_reputation {`
and rspamd config 2022-04-28 14:35:32 +00:00			`selector.type = "dkim";`
			`backend.type = "redis";`
			`symbol = "DKIM_REPUTATION";`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`}`
			`asn_reputation {`
and rspamd config 2022-04-28 14:35:32 +00:00			`selector.type = "generic";`
			`selector.selector = "asn";`
			`backend.type = "redis";`
			`symbol = "ASN_REPUTATION";`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`}`
			`country_reputation {`
and rspamd config 2022-04-28 14:35:32 +00:00			`selector.type = "generic";`
			`selector.selector = "country";`
			`backend.type = "redis";`
			`symbol = "COUNTRY_REPUTATION";`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`}`
			`}`
			`'';`
			`"replies.conf".text = ''`
and rspamd config 2022-04-28 14:35:32 +00:00			`expire = "7d";`
			`symbol = "REPLY";`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`'';`
			`"redis.conf".text = ''`
services.redis.rspamd -> services.redis.servers.rspamd 2022-04-28 20:23:33 +00:00			`servers = "${config.services.redis.servers.rspamd.bind}:${toString config.services.redis.servers.rspamd.port}";`
Wildly misleading documentation is my favourite Apparently UCL is NOT JSON-compatible no matter what the documentation claims. 2022-04-29 13:13:20 +00:00			`'';`
protect the controller with a password 2022-04-29 13:28:35 +00:00			`"worker-controller.inc".text = ''`
			`password = "$2$xkox1hi3so3y61no8ps1enx7p56nh51s$tp8fjciao1goswpcze6g9bb9sbx3mf3kbik1iznybgia36d78jnb";`
			`'';`
listen to rspamd on :11332 2022-04-27 10:30:34 +00:00			`};`
enable redis for rspamd 2022-04-28 11:44:32 +00:00			`workers = {`
fix the name (proxy -> rspamd_proxy) 2022-04-29 13:25:42 +00:00			`rspamd_proxy = {`
use the proxy worker 2022-04-29 13:23:45 +00:00			`includes = [ "$CONFDIR/worker-proxy.inc" ];`
			`bindSockets = [ "*:11332" ];`
			`};`
enable redis for rspamd 2022-04-28 11:44:32 +00:00			`normal = {`
			`includes = [ "$CONFDIR/worker-normal.inc" ];`
use the proxy worker 2022-04-29 13:23:45 +00:00			`bindSockets = [ "*:11333" ];`
enable redis for rspamd 2022-04-28 11:44:32 +00:00			`};`
			`controller = {`
			`includes = [ "$CONFDIR/worker-controller.inc" ];`
			`bindSockets = [ "*:11334" ];`
			`};`
add the controller worker 2022-04-27 10:37:49 +00:00			`};`
enable redis for rspamd 2022-04-28 11:44:32 +00:00
listen to rspamd on :11332 2022-04-27 10:30:34 +00:00			`};`
enable redis for rspamd 2022-04-28 11:44:32 +00:00			`redis.servers.rspamd = {`
			`enable = true;`
			`bind = "127.0.0.1";`
			`databases = 1;`
			`port = 6380;`
and rspamd config 2022-04-28 14:35:32 +00:00			`settings = {`
			`maxmemory = "500mb";`
			`maxmemory-policy = "volatile-ttl";`
			`};`
enable redis for rspamd 2022-04-28 11:44:32 +00:00			`};`
			`nginx.virtualHosts."rspamd.int.chir.rs" =`
			`let`
			`listenIPs = (import ../../utils/getInternalIP.nix config).listenIPs;`
			`listenStatements = lib.concatStringsSep "\n" (builtins.map (ip: "listen ${ip}:443 http3;") listenIPs) + ''`
			`add_header Alt-Svc 'h3=":443"';`
			`'';`
			`in`
			`{`
			`listenAddresses = listenIPs;`
			`sslCertificate = "/var/lib/acme/int.chir.rs/cert.pem";`
			`sslCertificateKey = "/var/lib/acme/int.chir.rs/key.pem";`
			`locations."/" = {`
			`proxyPass = "http://127.0.0.1:11334/";`
			`proxyWebsockets = true;`
			`};`
			`};`
add the most basic-ass rspamd config possible 2022-04-21 07:47:22 +00:00			`};`
			`sops.secrets."services/rspamd/dkim/darkkirb.de" = { owner = "rspamd"; };`
			`sops.secrets."services/rspamd/dkim/miifox.net" = { owner = "rspamd"; };`
			`sops.secrets."services/rspamd/dkim/chir.rs" = { owner = "rspamd"; };`
and rspamd config 2022-04-28 14:35:32 +00:00			`networking.nameservers = lib.mkForce [ "fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49" ];`
integrate rspamd with postfix 2022-04-28 14:37:09 +00:00			`networking.firewall.interfaces."wg0".allowedTCPPorts = [`
			`11332`
use the proxy worker 2022-04-29 13:23:45 +00:00			`11333`
integrate rspamd with postfix 2022-04-28 14:37:09 +00:00			`11334`
fix up all the metrics 2022-05-03 09:31:27 +00:00			`7980`
integrate rspamd with postfix 2022-04-28 14:37:09 +00:00			`];`
fix up all the metrics 2022-05-03 09:31:27 +00:00			`services.prometheus.exporters.rspamd.enable = true;`
add the most basic-ass rspamd config possible 2022-04-21 07:47:22 +00:00			`}`