From 92f3f0e0ca7e81c0ac2a3ef458c15fe4c98655ee Mon Sep 17 00:00:00 2001 From: uku Date: Wed, 8 Jan 2025 00:44:41 +0100 Subject: [PATCH] feat(vesuvio): add rspamd --- secrets/secrets.nix | 1 + secrets/vesuvio/rspamdPassword.age | 14 +++++++++++++ systems/vesuvio/mail/default.nix | 1 + systems/vesuvio/mail/maddy.nix | 4 +++- systems/vesuvio/mail/rspamd.nix | 32 ++++++++++++++++++++++++++++++ 5 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 secrets/vesuvio/rspamdPassword.age create mode 100644 systems/vesuvio/mail/rspamd.nix diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 295e53f..cdf623d 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -43,4 +43,5 @@ in "etna/cobaltTokens.age".publicKeys = main ++ [ etna ]; "vesuvio/maddyEnv.age".publicKeys = main ++ [ vesuvio ]; + "vesuvio/rspamdPassword.age".publicKeys = main ++ [ vesuvio ]; } diff --git a/secrets/vesuvio/rspamdPassword.age b/secrets/vesuvio/rspamdPassword.age new file mode 100644 index 0000000..f76337c --- /dev/null +++ b/secrets/vesuvio/rspamdPassword.age @@ -0,0 +1,14 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsSUw2b0luVmJzcGpJK2g2 +QmZGMjZMSENzSWhiemVSZGRxR1dYVDhwckF3CnRlZzVRWVRoR2xzdkNIbTJBM1hi +M1VZWkwxZVZGS3B3a2dYODJucUE1bGsKLT4gWDI1NTE5IDRXZjhBbHo3U3oremo2 +djVPZWxQM1NDalpKVmV0KzJCVW5TVzlpMHYwajQKMkVKM2MrV2pCb3g4SUt1RjFE +Z0pTZVQwRWFWT1hDdk5HRHVkWEQ5YWEwcwotPiBYMjU1MTkgMGJPSHFiZyt4aUg4 +aDRjSVQ2SkdYNU8yMzFJVjNwYTZPRTloYW5jUGFBZwppRTlHcDBtUmdoSHlzOVlm +SjVFS2J5d1ZEME5UTlNSSklYN3JkZk5nb1pZCi0+IFgyNTUxOSBjSVZZZUFjL0JC +bzVhWXVVVld1MGFoRmM3clZHanZ5aTNzYXpnMEVWK3ljClFqZTRpMlpOcW9vSits +NU0yQzRPQ1JqajdzSnJOZVNiYlo4ejBFblhiSzQKLS0tIGt0WU5FRGt3VzVUbmlx +eitOZXVrMm0wYmc4QzE3WldMV2xyazNoUnkyTlkK0E7n/mjIjtOJvcEL9l5ruTqQ +wYLglgs3vZCp7Wz0hF921qopRZzAa6TrU7sR7bJauXrQQ0TaCLb6lFf92pIzJiW5 +SU7dMYFn/w== +-----END AGE ENCRYPTED FILE----- diff --git a/systems/vesuvio/mail/default.nix b/systems/vesuvio/mail/default.nix index d9dc0ef..8344426 100644 --- a/systems/vesuvio/mail/default.nix +++ b/systems/vesuvio/mail/default.nix @@ -2,5 +2,6 @@ imports = [ ./maddy.nix ./mta-sts.nix + ./rspamd.nix ]; } diff --git a/systems/vesuvio/mail/maddy.nix b/systems/vesuvio/mail/maddy.nix index ef70405..f31865b 100644 --- a/systems/vesuvio/mail/maddy.nix +++ b/systems/vesuvio/mail/maddy.nix @@ -62,7 +62,9 @@ in ## message reception msgpipeline local_routing { - # TODO: checks (rspamd) + check { + rspamd + } modify { replace_rcpt &local_rewrites diff --git a/systems/vesuvio/mail/rspamd.nix b/systems/vesuvio/mail/rspamd.nix new file mode 100644 index 0000000..e116997 --- /dev/null +++ b/systems/vesuvio/mail/rspamd.nix @@ -0,0 +1,32 @@ +{ config, _utils, ... }: +let + password = _utils.setupSingleSecret config "rspamdPassword" { + owner = config.services.rspamd.user; + inherit (config.services.rspamd) group; + }; +in +{ + imports = [ password.generate ]; + + services = { + redis.servers.rspamd = { + enable = true; + user = config.services.rspamd.user; + port = 0; # disable tcp + }; + + rspamd = { + enable = true; + locals = { + "redis.conf".text = '' + servers = ${config.services.redis.servers.rspamd.unixSocket}; + ''; + }; + + workers = { + controller.includes = [ password.path ]; + normal.bindSockets = [ "127.0.0.1:11333" ]; # maddy queries port 11333 + }; + }; + }; +}