{ config, pkgs, lib, ... }: with lib; let cfg = config.fudo.mail-server; in { config = mkIf cfg.enable { services.prometheus.exporters.rspamd.enable = true; services.rspamd = { enable = true; locals = { "milter_headers.conf" = { text = '' extended_spam_headers = yes; ''; }; "antivirus.conf" = { text = '' clamav { action = "reject"; symbol = "CLAM_VIRUS"; type = "clamav"; log_clean = true; servers = "/run/clamav/clamd.ctl"; scan_mime_parts = false; # scan mail as a whole unit, not parts. seems to be needed to work at all } ''; }; }; overrides = { "milter_headers.conf" = { text = '' extended_spam_headers = true; ''; }; }; workers.rspamd_proxy = { type = "rspamd_proxy"; bindSockets = [{ socket = "/run/rspamd/rspamd-milter.sock"; mode = "0664"; }]; count = 1; # Do not spawn too many processes of this type extraConfig = '' milter = yes; # Enable milter mode timeout = 120s; # Needed for Milter usually upstream "local" { default = yes; # Self-scan upstreams are always default self_scan = yes; # Enable self-scan } ''; }; workers.controller = { type = "controller"; count = 1; bindSockets = [ "localhost:11334" { socket = "/run/rspamd/worker-controller.sock"; mode = "0666"; } ]; includes = []; }; }; systemd.services.rspamd = { requires = (optional cfg.clamav.enable "clamav-daemon.service"); after = (optional cfg.clamav.enable "clamav-daemon.service"); }; systemd.services.postfix = { after = [ "rspamd.service" ]; requires = [ "rspamd.service" ]; }; users.extraUsers.${config.services.postfix.user}.extraGroups = [ config.services.rspamd.group ]; }; }