nixos-config/config/services/rspamd.nix

199 lines
6.1 KiB
Nix

{ config, lib, ... }:
{
services = {
# TODO: Antivirus
rspamd = {
enable = true;
locals = {
"dkim_signing.conf".text = builtins.toJSON {
domain = {
"darkkirb.de" = {
selector = "dkim";
path = "${config.sops.secrets."services/rspamd/dkim/darkkirb.de".path}";
};
"miifox.net" = {
selector = "dkim";
path = "${config.sops.secrets."services/rspamd/dkim/miifox.net".path}";
};
"chir.rs" = {
selector = "dkim";
path = "${config.sops.secrets."services/rspamd/dkim/chir.rs".path}";
};
};
};
"dmarc.conf".text = builtins.toJSON {
actions = {
reject = "reject";
quarantine = "quarantine";
softfail = "add_header";
};
};
"greylist.conf".text = builtins.toJSON {
greylist_min_score = 0;
};
"hfilter.conf".text = builtins.toJSON {
helo_enabled = true;
hostname_enabled = true;
url_enabled = true;
from_enabled = true;
rcpt_enabled = true;
mid_enabled = true;
};
"history.conf".text = builtins.toJSON {
nrows = 1000;
subject_privacy = true;
};
"milter.conf".text = builtins.toJSON {
use = [
"authentication-results"
"fuzzy-hashes"
"spam-header"
"stat-signature"
"x-rspamd-queue-id"
"x-rspamd-result"
"x-rspamd-server"
"x-rspamd-bar"
"x-spam-status"
];
};
"mx_check.conf".text = builtins.toJSON {
enabled = true;
};
"neural.conf".text = builtins.toJSON {
enabled = true;
rules = {
LONG = {
train = {
max_trains = 5000;
max_usages = 200;
max_iterations = 25;
learning_rate = 0.01;
};
symbol_spam = "NEURAL_SPAM_LONG";
symbol_ham = "NEURAL_HAM_LONG";
ann_expire = "365d";
};
SHORT = {
train = {
max_trains = 5000;
max_usages = 2;
max_iterations = 25;
learning_rate = 0.01;
};
symbol_spam = "NEURAL_SPAM_SHORT";
symbol_ham = "NEURAL_HAM_SHORT";
ann_expire = "30d";
};
};
};
"neural_group.conf".text = builtins.toJSON {
symbols = {
NEURAL_SPAM_LONG = {
weight = 3.0; # sample weight
description = "Neural network spam (long)";
};
NEURAL_HAM_LONG = {
weight = -3.0; # sample weight
description = "Neural network ham (long)";
};
NEURAL_SPAM_SHORT = {
weight = 2.0; # sample weight
description = "Neural network spam (short)";
};
NEURAL_HAM_SHORT = {
weight = -1.0; # sample weight
description = "Neural network ham (short)";
};
};
};
"phishing.conf".text = builtins.toJSON {
openphish_enabled = true;
};
"reputation.conf".text = builtins.toJSON {
rules = {
ip_reputation = {
selector.type = "ip";
backend.type = "redis";
symbol = "IP_REPUTATION";
};
spf_reputation = {
selector.type = "spf";
backend.type = "redis";
symbol = "SPF_REPUTATION";
};
dkim_reputation = {
selector.type = "dkim";
backend.type = "redis";
symbol = "DKIM_REPUTATION";
};
asn_reputation = {
selector.type = "generic";
selector.selector = "asn";
backend.type = "redis";
symbol = "ASN_REPUTATION";
};
country_reputation = {
selector.type = "generic";
selector.selector = "country";
backend.type = "redis";
symbol = "COUNTRY_REPUTATION";
};
};
};
"replies.conf".text = builtins.toJSON {
expire = "7d";
symbol = "REPLY";
};
"redis.conf".text = builtins.toJSON {
servers = "${config.services.redis.rspamd.bind}:${toString config.services.redis.rspamd.port}";
};
};
workers = {
normal = {
includes = [ "$CONFDIR/worker-normal.inc" ];
bindSockets = [ "*:11332" ];
};
controller = {
includes = [ "$CONFDIR/worker-controller.inc" ];
bindSockets = [ "*:11334" ];
};
};
};
redis.servers.rspamd = {
enable = true;
bind = "127.0.0.1";
databases = 1;
port = 6380;
settings = {
maxmemory = "500mb";
maxmemory-policy = "volatile-ttl";
};
};
nginx.virtualHosts."rspamd.int.chir.rs" =
let
listenIPs = (import ../../utils/getInternalIP.nix config).listenIPs;
listenStatements = lib.concatStringsSep "\n" (builtins.map (ip: "listen ${ip}:443 http3;") listenIPs) + ''
add_header Alt-Svc 'h3=":443"';
'';
in
{
listenAddresses = listenIPs;
sslCertificate = "/var/lib/acme/int.chir.rs/cert.pem";
sslCertificateKey = "/var/lib/acme/int.chir.rs/key.pem";
locations."/" = {
proxyPass = "http://127.0.0.1:11334/";
proxyWebsockets = true;
};
};
};
sops.secrets."services/rspamd/dkim/darkkirb.de" = { owner = "rspamd"; };
sops.secrets."services/rspamd/dkim/miifox.net" = { owner = "rspamd"; };
sops.secrets."services/rspamd/dkim/chir.rs" = { owner = "rspamd"; };
networking.nameservers = lib.mkForce [ "fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49" ];
networking.firewall.interfaces."wg0".allowedTCPPorts = [
11332
11334
];
}