and rspamd config
This commit is contained in:
parent
e7688afb83
commit
c5028ed6a0
1 changed files with 143 additions and 18 deletions
|
@ -1,31 +1,151 @@
|
|||
{ config, ... }: {
|
||||
{ config, lib, ... }:
|
||||
{
|
||||
services = {
|
||||
# TODO: Antivirus
|
||||
|
||||
rspamd = {
|
||||
enable = true;
|
||||
locals = {
|
||||
"dkim_signing.conf".text = ''
|
||||
domain {
|
||||
darkkirb.de {
|
||||
"dkim_signing.conf".text = builtins.toJSON {
|
||||
domain = {
|
||||
"darkkirb.de" = {
|
||||
selector = "dkim";
|
||||
path = "${config.sops.secrets."services/rspamd/dkim/darkkirb.de".path}";
|
||||
}
|
||||
miifox.net {
|
||||
};
|
||||
"miifox.net" = {
|
||||
selector = "dkim";
|
||||
path = "${config.sops.secrets."services/rspamd/dkim/miifox.net".path}";
|
||||
}
|
||||
chir.rs {
|
||||
};
|
||||
"chir.rs" = {
|
||||
selector = "dkim";
|
||||
path = "${config.sops.secrets."services/rspamd/dkim/chir.rs".path}";
|
||||
}
|
||||
}
|
||||
allow_hdrfrom_mismatch = true;
|
||||
allow_hdrfrom_mismatch_sign_networks = true;
|
||||
allow_username_mismatch = true;
|
||||
use_domain = "header";
|
||||
sign_authenticated = true;
|
||||
use_esld = true;
|
||||
'';
|
||||
"redis.conf" = builtns.toJSON {
|
||||
};
|
||||
};
|
||||
};
|
||||
"dmarc.conf".text = builtins.toJSON {
|
||||
actions = {
|
||||
reject = "reject";
|
||||
quarantine = "quarantine";
|
||||
softfail = "add_header";
|
||||
};
|
||||
};
|
||||
"greylist.conf".text = builtins.toJSON {
|
||||
greylist_min_score = 0;
|
||||
};
|
||||
"hfilter.conf".text = builtins.toJSON {
|
||||
helo_enabled = true;
|
||||
hostname_enabled = true;
|
||||
url_enabled = true;
|
||||
from_enabled = true;
|
||||
rcpt_enabled = true;
|
||||
mid_enabled = true;
|
||||
};
|
||||
"history.conf".text = builtins.toJSON {
|
||||
nrows = 1000;
|
||||
subject_privacy = true;
|
||||
};
|
||||
"milter.conf".text = builtins.toJSON {
|
||||
use = [
|
||||
"authentication-results"
|
||||
"fuzzy-hashes"
|
||||
"spam-header"
|
||||
"stat-signature"
|
||||
"x-rspamd-queue-id"
|
||||
"x-rspamd-result"
|
||||
"x-rspamd-server"
|
||||
"x-rspamd-bar"
|
||||
"x-spam-status"
|
||||
];
|
||||
};
|
||||
"mx_check.conf".text = builtins.toJSON {
|
||||
enabled = true;
|
||||
};
|
||||
"neural.conf".text = builtins.toJSON {
|
||||
enabled = true;
|
||||
rules = {
|
||||
LONG = {
|
||||
train = {
|
||||
max_trains = 5000;
|
||||
max_usages = 200;
|
||||
max_iterations = 25;
|
||||
learning_rate = 0.01;
|
||||
};
|
||||
symbol_spam = "NEURAL_SPAM_LONG";
|
||||
symbol_ham = "NEURAL_HAM_LONG";
|
||||
ann_expire = "365d";
|
||||
};
|
||||
SHORT = {
|
||||
train = {
|
||||
max_trains = 5000;
|
||||
max_usages = 2;
|
||||
max_iterations = 25;
|
||||
learning_rate = 0.01;
|
||||
};
|
||||
symbol_spam = "NEURAL_SPAM_SHORT";
|
||||
symbol_ham = "NEURAL_HAM_SHORT";
|
||||
ann_expire = "30d";
|
||||
};
|
||||
};
|
||||
};
|
||||
"neural_group.conf".text = builtins.toJSON {
|
||||
symbols = {
|
||||
NEURAL_SPAM_LONG = {
|
||||
weight = 3.0; # sample weight
|
||||
description = "Neural network spam (long)";
|
||||
};
|
||||
NEURAL_HAM_LONG = {
|
||||
weight = -3.0; # sample weight
|
||||
description = "Neural network ham (long)";
|
||||
};
|
||||
NEURAL_SPAM_SHORT = {
|
||||
weight = 2.0; # sample weight
|
||||
description = "Neural network spam (short)";
|
||||
};
|
||||
NEURAL_HAM_SHORT = {
|
||||
weight = -1.0; # sample weight
|
||||
description = "Neural network ham (short)";
|
||||
};
|
||||
};
|
||||
};
|
||||
"phishing.conf".text = builtins.toJSON {
|
||||
openphish_enabled = true;
|
||||
};
|
||||
"reputation.conf".text = builtins.toJSON {
|
||||
rules = {
|
||||
ip_reputation = {
|
||||
selector.type = "ip";
|
||||
backend.type = "redis";
|
||||
symbol = "IP_REPUTATION";
|
||||
};
|
||||
spf_reputation = {
|
||||
selector.type = "spf";
|
||||
backend.type = "redis";
|
||||
symbol = "SPF_REPUTATION";
|
||||
};
|
||||
dkim_reputation = {
|
||||
selector.type = "dkim";
|
||||
backend.type = "redis";
|
||||
symbol = "DKIM_REPUTATION";
|
||||
};
|
||||
asn_reputation = {
|
||||
selector.type = "generic";
|
||||
selector.selector = "asn";
|
||||
backend.type = "redis";
|
||||
symbol = "ASN_REPUTATION";
|
||||
};
|
||||
country_reputation = {
|
||||
selector.type = "generic";
|
||||
selector.selector = "country";
|
||||
backend.type = "redis";
|
||||
symbol = "COUNTRY_REPUTATION";
|
||||
};
|
||||
};
|
||||
};
|
||||
"replies.conf".text = builtins.toJSON {
|
||||
expire = "7d";
|
||||
symbol = "REPLY";
|
||||
};
|
||||
"redis.conf".text = builtins.toJSON {
|
||||
servers = "${config.services.redis.rspamd.bind}:${toString config.services.redis.rspamd.port}";
|
||||
};
|
||||
};
|
||||
|
@ -46,6 +166,10 @@
|
|||
bind = "127.0.0.1";
|
||||
databases = 1;
|
||||
port = 6380;
|
||||
settings = {
|
||||
maxmemory = "500mb";
|
||||
maxmemory-policy = "volatile-ttl";
|
||||
};
|
||||
};
|
||||
nginx.virtualHosts."rspamd.int.chir.rs" =
|
||||
let
|
||||
|
@ -67,4 +191,5 @@
|
|||
sops.secrets."services/rspamd/dkim/darkkirb.de" = { owner = "rspamd"; };
|
||||
sops.secrets."services/rspamd/dkim/miifox.net" = { owner = "rspamd"; };
|
||||
sops.secrets."services/rspamd/dkim/chir.rs" = { owner = "rspamd"; };
|
||||
networking.nameservers = lib.mkForce [ "fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49" ];
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue