{ config, lib, pkgs, ... }: # TODO: use blacklists with lib; let cfg = config.fudo.mail.rspamd; mailCfg = config.fudo.mail; in { options.fudo.mail.rspamd = with types; { enable = mkEnableOption "Enable rspamd spam test server."; ports = { metrics = mkOption { type = port; default = 7573; }; controller = mkOption { type = port; default = 11334; }; milter = mkOption { type = port; default = 11335; }; }; antivirus = { host = mkOption { type = str; description = "Host of the ClamAV server."; }; port = mkOption { type = port; description = "Port at which to reach ClamAV"; }; }; }; config = mkIf cfg.enable { services.prometheus.exporters.rspamd = { enable = true; listenAddress = "127.0.0.1"; port = cfg.ports.metrics; }; services.rspamd = { enable = true; locals = { "milter_headers.conf".text = "extended_spam_headers = yes;"; "antivirus.conf".text = '' clamav { action = "reject"; symbol = "CLAM_VIRUS"; type = "clamav"; log_clean = true; servers = "${cfg.antivirus.host}:${toString cfg.antivirus.port}"; scan_mime_parts = false; # scan mail as a whole unit, not parts. seems to be needed to work at all } ''; # "rbl.conf".text = '' # rbls { # an_rbl # } # ''; }; overrides."milter_headers.conf".text = "extended_spam_headers = true;"; workers = { rspamd_proxy = { type = "rspamd_proxy"; bindSockets = [ "localhost:${toString cfg.ports.milter}" ]; count = 4; extraConfig = '' milter = yes; timeout = 120s; upstream "local" { default = yes; self_scan = yes; } ''; }; controller = { type = "controller"; count = 4; bindSockets = [ "localhost:${toString cfg.ports.controller}" ]; includes = [ ]; }; }; }; }; }