195 lines
6 KiB
Nix
195 lines
6 KiB
Nix
{ config, lib, ... }:
|
|
{
|
|
services = {
|
|
# TODO: Antivirus
|
|
|
|
rspamd = {
|
|
enable = true;
|
|
locals = {
|
|
"dkim_signing.conf".text = builtins.toJSON {
|
|
domain = {
|
|
"darkkirb.de" = {
|
|
selector = "dkim";
|
|
path = "${config.sops.secrets."services/rspamd/dkim/darkkirb.de".path}";
|
|
};
|
|
"miifox.net" = {
|
|
selector = "dkim";
|
|
path = "${config.sops.secrets."services/rspamd/dkim/miifox.net".path}";
|
|
};
|
|
"chir.rs" = {
|
|
selector = "dkim";
|
|
path = "${config.sops.secrets."services/rspamd/dkim/chir.rs".path}";
|
|
};
|
|
};
|
|
};
|
|
"dmarc.conf".text = builtins.toJSON {
|
|
actions = {
|
|
reject = "reject";
|
|
quarantine = "quarantine";
|
|
softfail = "add_header";
|
|
};
|
|
};
|
|
"greylist.conf".text = builtins.toJSON {
|
|
greylist_min_score = 0;
|
|
};
|
|
"hfilter.conf".text = builtins.toJSON {
|
|
helo_enabled = true;
|
|
hostname_enabled = true;
|
|
url_enabled = true;
|
|
from_enabled = true;
|
|
rcpt_enabled = true;
|
|
mid_enabled = true;
|
|
};
|
|
"history.conf".text = builtins.toJSON {
|
|
nrows = 1000;
|
|
subject_privacy = true;
|
|
};
|
|
"milter.conf".text = builtins.toJSON {
|
|
use = [
|
|
"authentication-results"
|
|
"fuzzy-hashes"
|
|
"spam-header"
|
|
"stat-signature"
|
|
"x-rspamd-queue-id"
|
|
"x-rspamd-result"
|
|
"x-rspamd-server"
|
|
"x-rspamd-bar"
|
|
"x-spam-status"
|
|
];
|
|
};
|
|
"mx_check.conf".text = builtins.toJSON {
|
|
enabled = true;
|
|
};
|
|
"neural.conf".text = builtins.toJSON {
|
|
enabled = true;
|
|
rules = {
|
|
LONG = {
|
|
train = {
|
|
max_trains = 5000;
|
|
max_usages = 200;
|
|
max_iterations = 25;
|
|
learning_rate = 0.01;
|
|
};
|
|
symbol_spam = "NEURAL_SPAM_LONG";
|
|
symbol_ham = "NEURAL_HAM_LONG";
|
|
ann_expire = "365d";
|
|
};
|
|
SHORT = {
|
|
train = {
|
|
max_trains = 5000;
|
|
max_usages = 2;
|
|
max_iterations = 25;
|
|
learning_rate = 0.01;
|
|
};
|
|
symbol_spam = "NEURAL_SPAM_SHORT";
|
|
symbol_ham = "NEURAL_HAM_SHORT";
|
|
ann_expire = "30d";
|
|
};
|
|
};
|
|
};
|
|
"neural_group.conf".text = builtins.toJSON {
|
|
symbols = {
|
|
NEURAL_SPAM_LONG = {
|
|
weight = 3.0; # sample weight
|
|
description = "Neural network spam (long)";
|
|
};
|
|
NEURAL_HAM_LONG = {
|
|
weight = -3.0; # sample weight
|
|
description = "Neural network ham (long)";
|
|
};
|
|
NEURAL_SPAM_SHORT = {
|
|
weight = 2.0; # sample weight
|
|
description = "Neural network spam (short)";
|
|
};
|
|
NEURAL_HAM_SHORT = {
|
|
weight = -1.0; # sample weight
|
|
description = "Neural network ham (short)";
|
|
};
|
|
};
|
|
};
|
|
"phishing.conf".text = builtins.toJSON {
|
|
openphish_enabled = true;
|
|
};
|
|
"reputation.conf".text = builtins.toJSON {
|
|
rules = {
|
|
ip_reputation = {
|
|
selector.type = "ip";
|
|
backend.type = "redis";
|
|
symbol = "IP_REPUTATION";
|
|
};
|
|
spf_reputation = {
|
|
selector.type = "spf";
|
|
backend.type = "redis";
|
|
symbol = "SPF_REPUTATION";
|
|
};
|
|
dkim_reputation = {
|
|
selector.type = "dkim";
|
|
backend.type = "redis";
|
|
symbol = "DKIM_REPUTATION";
|
|
};
|
|
asn_reputation = {
|
|
selector.type = "generic";
|
|
selector.selector = "asn";
|
|
backend.type = "redis";
|
|
symbol = "ASN_REPUTATION";
|
|
};
|
|
country_reputation = {
|
|
selector.type = "generic";
|
|
selector.selector = "country";
|
|
backend.type = "redis";
|
|
symbol = "COUNTRY_REPUTATION";
|
|
};
|
|
};
|
|
};
|
|
"replies.conf".text = builtins.toJSON {
|
|
expire = "7d";
|
|
symbol = "REPLY";
|
|
};
|
|
"redis.conf".text = builtins.toJSON {
|
|
servers = "${config.services.redis.rspamd.bind}:${toString config.services.redis.rspamd.port}";
|
|
};
|
|
};
|
|
workers = {
|
|
normal = {
|
|
includes = [ "$CONFDIR/worker-normal.inc" ];
|
|
bindSockets = [ "*:11332" ];
|
|
};
|
|
controller = {
|
|
includes = [ "$CONFDIR/worker-controller.inc" ];
|
|
bindSockets = [ "*:11334" ];
|
|
};
|
|
};
|
|
|
|
};
|
|
redis.servers.rspamd = {
|
|
enable = true;
|
|
bind = "127.0.0.1";
|
|
databases = 1;
|
|
port = 6380;
|
|
settings = {
|
|
maxmemory = "500mb";
|
|
maxmemory-policy = "volatile-ttl";
|
|
};
|
|
};
|
|
nginx.virtualHosts."rspamd.int.chir.rs" =
|
|
let
|
|
listenIPs = (import ../../utils/getInternalIP.nix config).listenIPs;
|
|
listenStatements = lib.concatStringsSep "\n" (builtins.map (ip: "listen ${ip}:443 http3;") listenIPs) + ''
|
|
add_header Alt-Svc 'h3=":443"';
|
|
'';
|
|
in
|
|
{
|
|
listenAddresses = listenIPs;
|
|
sslCertificate = "/var/lib/acme/int.chir.rs/cert.pem";
|
|
sslCertificateKey = "/var/lib/acme/int.chir.rs/key.pem";
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:11334/";
|
|
proxyWebsockets = true;
|
|
};
|
|
};
|
|
};
|
|
sops.secrets."services/rspamd/dkim/darkkirb.de" = { owner = "rspamd"; };
|
|
sops.secrets."services/rspamd/dkim/miifox.net" = { owner = "rspamd"; };
|
|
sops.secrets."services/rspamd/dkim/chir.rs" = { owner = "rspamd"; };
|
|
networking.nameservers = lib.mkForce [ "fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49" ];
|
|
}
|