and rspamd config

This commit is contained in:
Charlotte 🦝 Delenk 2022-04-28 15:35:32 +01:00
parent e7688afb83
commit c5028ed6a0
Signed by: darkkirb
GPG key ID: AB2BD8DAF2E37122

View file

@ -1,31 +1,151 @@
{ config, ... }: {
{ config, lib, ... }:
{
services = {
# TODO: Antivirus
rspamd = {
enable = true;
locals = {
"dkim_signing.conf".text = ''
domain {
darkkirb.de {
"dkim_signing.conf".text = builtins.toJSON {
domain = {
"darkkirb.de" = {
selector = "dkim";
path = "${config.sops.secrets."services/rspamd/dkim/darkkirb.de".path}";
}
miifox.net {
};
"miifox.net" = {
selector = "dkim";
path = "${config.sops.secrets."services/rspamd/dkim/miifox.net".path}";
}
chir.rs {
};
"chir.rs" = {
selector = "dkim";
path = "${config.sops.secrets."services/rspamd/dkim/chir.rs".path}";
}
}
allow_hdrfrom_mismatch = true;
allow_hdrfrom_mismatch_sign_networks = true;
allow_username_mismatch = true;
use_domain = "header";
sign_authenticated = true;
use_esld = true;
'';
"redis.conf" = builtns.toJSON {
};
};
};
"dmarc.conf".text = builtins.toJSON {
actions = {
reject = "reject";
quarantine = "quarantine";
softfail = "add_header";
};
};
"greylist.conf".text = builtins.toJSON {
greylist_min_score = 0;
};
"hfilter.conf".text = builtins.toJSON {
helo_enabled = true;
hostname_enabled = true;
url_enabled = true;
from_enabled = true;
rcpt_enabled = true;
mid_enabled = true;
};
"history.conf".text = builtins.toJSON {
nrows = 1000;
subject_privacy = true;
};
"milter.conf".text = builtins.toJSON {
use = [
"authentication-results"
"fuzzy-hashes"
"spam-header"
"stat-signature"
"x-rspamd-queue-id"
"x-rspamd-result"
"x-rspamd-server"
"x-rspamd-bar"
"x-spam-status"
];
};
"mx_check.conf".text = builtins.toJSON {
enabled = true;
};
"neural.conf".text = builtins.toJSON {
enabled = true;
rules = {
LONG = {
train = {
max_trains = 5000;
max_usages = 200;
max_iterations = 25;
learning_rate = 0.01;
};
symbol_spam = "NEURAL_SPAM_LONG";
symbol_ham = "NEURAL_HAM_LONG";
ann_expire = "365d";
};
SHORT = {
train = {
max_trains = 5000;
max_usages = 2;
max_iterations = 25;
learning_rate = 0.01;
};
symbol_spam = "NEURAL_SPAM_SHORT";
symbol_ham = "NEURAL_HAM_SHORT";
ann_expire = "30d";
};
};
};
"neural_group.conf".text = builtins.toJSON {
symbols = {
NEURAL_SPAM_LONG = {
weight = 3.0; # sample weight
description = "Neural network spam (long)";
};
NEURAL_HAM_LONG = {
weight = -3.0; # sample weight
description = "Neural network ham (long)";
};
NEURAL_SPAM_SHORT = {
weight = 2.0; # sample weight
description = "Neural network spam (short)";
};
NEURAL_HAM_SHORT = {
weight = -1.0; # sample weight
description = "Neural network ham (short)";
};
};
};
"phishing.conf".text = builtins.toJSON {
openphish_enabled = true;
};
"reputation.conf".text = builtins.toJSON {
rules = {
ip_reputation = {
selector.type = "ip";
backend.type = "redis";
symbol = "IP_REPUTATION";
};
spf_reputation = {
selector.type = "spf";
backend.type = "redis";
symbol = "SPF_REPUTATION";
};
dkim_reputation = {
selector.type = "dkim";
backend.type = "redis";
symbol = "DKIM_REPUTATION";
};
asn_reputation = {
selector.type = "generic";
selector.selector = "asn";
backend.type = "redis";
symbol = "ASN_REPUTATION";
};
country_reputation = {
selector.type = "generic";
selector.selector = "country";
backend.type = "redis";
symbol = "COUNTRY_REPUTATION";
};
};
};
"replies.conf".text = builtins.toJSON {
expire = "7d";
symbol = "REPLY";
};
"redis.conf".text = builtins.toJSON {
servers = "${config.services.redis.rspamd.bind}:${toString config.services.redis.rspamd.port}";
};
};
@ -46,6 +166,10 @@
bind = "127.0.0.1";
databases = 1;
port = 6380;
settings = {
maxmemory = "500mb";
maxmemory-policy = "volatile-ttl";
};
};
nginx.virtualHosts."rspamd.int.chir.rs" =
let
@ -67,4 +191,5 @@
sops.secrets."services/rspamd/dkim/darkkirb.de" = { owner = "rspamd"; };
sops.secrets."services/rspamd/dkim/miifox.net" = { owner = "rspamd"; };
sops.secrets."services/rspamd/dkim/chir.rs" = { owner = "rspamd"; };
networking.nameservers = lib.mkForce [ "fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49" ];
}