feat(vesuvio): add rspamd

2025-01-08 00:44:41 +01:00 · 2025-01-08 00:44:41 +01:00 · 92f3f0e0ca
commit 92f3f0e0ca
parent dd9dd6d516
5 changed files with 51 additions and 1 deletions
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -43,4 +43,5 @@ in
  "etna/cobaltTokens.age".publicKeys = main ++ [ etna ];

  "vesuvio/maddyEnv.age".publicKeys = main ++ [ vesuvio ];
+  "vesuvio/rspamdPassword.age".publicKeys = main ++ [ vesuvio ];
 }
--- a/secrets/vesuvio/rspamdPassword.age
+++ b/secrets/vesuvio/rspamdPassword.age
@ -0,0 +1,14 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsSUw2b0luVmJzcGpJK2g2
+QmZGMjZMSENzSWhiemVSZGRxR1dYVDhwckF3CnRlZzVRWVRoR2xzdkNIbTJBM1hi
+M1VZWkwxZVZGS3B3a2dYODJucUE1bGsKLT4gWDI1NTE5IDRXZjhBbHo3U3oremo2
+djVPZWxQM1NDalpKVmV0KzJCVW5TVzlpMHYwajQKMkVKM2MrV2pCb3g4SUt1RjFE
+Z0pTZVQwRWFWT1hDdk5HRHVkWEQ5YWEwcwotPiBYMjU1MTkgMGJPSHFiZyt4aUg4
+aDRjSVQ2SkdYNU8yMzFJVjNwYTZPRTloYW5jUGFBZwppRTlHcDBtUmdoSHlzOVlm
+SjVFS2J5d1ZEME5UTlNSSklYN3JkZk5nb1pZCi0+IFgyNTUxOSBjSVZZZUFjL0JC
+bzVhWXVVVld1MGFoRmM3clZHanZ5aTNzYXpnMEVWK3ljClFqZTRpMlpOcW9vSits
+NU0yQzRPQ1JqajdzSnJOZVNiYlo4ejBFblhiSzQKLS0tIGt0WU5FRGt3VzVUbmlx
+eitOZXVrMm0wYmc4QzE3WldMV2xyazNoUnkyTlkK0E7n/mjIjtOJvcEL9l5ruTqQ
+wYLglgs3vZCp7Wz0hF921qopRZzAa6TrU7sR7bJauXrQQ0TaCLb6lFf92pIzJiW5
+SU7dMYFn/w==
+-----END AGE ENCRYPTED FILE-----
--- a/systems/vesuvio/mail/default.nix
+++ b/systems/vesuvio/mail/default.nix
@ -2,5 +2,6 @@
  imports = [
    ./maddy.nix
    ./mta-sts.nix
+    ./rspamd.nix
  ];
 }
--- a/systems/vesuvio/mail/maddy.nix
+++ b/systems/vesuvio/mail/maddy.nix
@ -62,7 +62,9 @@ in
      ## message reception

      msgpipeline local_routing {
-        # TODO: checks (rspamd)
+        check {
+          rspamd
+        }

        modify {
          replace_rcpt &local_rewrites
--- a/systems/vesuvio/mail/rspamd.nix
+++ b/systems/vesuvio/mail/rspamd.nix
@ -0,0 +1,32 @@
+{ config, _utils, ... }:
+let
+  password = _utils.setupSingleSecret config "rspamdPassword" {
+    owner = config.services.rspamd.user;
+    inherit (config.services.rspamd) group;
+  };
+in
+{
+  imports = [ password.generate ];
+
+  services = {
+    redis.servers.rspamd = {
+      enable = true;
+      user = config.services.rspamd.user;
+      port = 0; # disable tcp
+    };
+
+    rspamd = {
+      enable = true;
+      locals = {
+        "redis.conf".text = ''
+          servers = ${config.services.redis.servers.rspamd.unixSocket};
+        '';
+      };
+
+      workers = {
+        controller.includes = [ password.path ];
+        normal.bindSockets = [ "127.0.0.1:11333" ]; # maddy queries port 11333
+      };
+    };
+  };
+}