nixpkgs/nixos/modules/services/mail/rmilter.nix

{ config, lib, pkgs, ... }:

with lib;

let

  rspamdCfg = config.services.rspamd;
  postfixCfg = config.services.postfix;
  cfg = config.services.rmilter;

  inetSocket = addr: port: "inet:${addr}:${toString port}";
  unixSocket = sock: "unix:${sock}";

  systemdSocket = if cfg.bindSocket.type == "unix" then cfg.bindSocket.path
    else "${cfg.bindSocket.address}:${toString cfg.bindSocket.port}";
  rmilterSocket = if cfg.bindSocket.type == "unix" then unixSocket cfg.bindSocket.path
    else inetSocket cfg.bindSocket.address cfg.bindSocket.port;

  rmilterConf = ''
    pidfile = /run/rmilter/rmilter.pid;
    bind_socket = ${if cfg.socketActivation then "fd:3" else rmilterSocket};
    tempdir = /tmp;
  '' + (with cfg.rspamd; if enable then ''
    spamd {
      servers = ${concatStringsSep ", " servers};
      connect_timeout = 1s;
      results_timeout = 20s;
      error_time = 10;
      dead_time = 300;
      maxerrors = 10;
      reject_message = "${rejectMessage}";
      ${optionalString (length whitelist != 0)  "whitelist = ${concatStringsSep ", " whitelist};"}

      # rspamd_metric - metric for using with rspamd
      # Default: "default"
      rspamd_metric = "default";
      ${extraConfig}
    };
  '' else "") + cfg.extraConfig;

  rmilterConfigFile = pkgs.writeText "rmilter.conf" rmilterConf;

in

{

  ###### interface

  options = {

    services.rmilter = {

      enable = mkOption {
        type = types.bool;
        default = false;
        description = "Whether to run the rmilter daemon.";
      };

      debug = mkOption {
        type = types.bool;
        default = false;
        description = "Whether to run the rmilter daemon in debug mode.";
      };

      user = mkOption {
        type = types.string;
        default = "rmilter";
        description = ''
          User to use when no root privileges are required.
        '';
       };

      group = mkOption {
        type = types.string;
        default = "rmilter";
        description = ''
          Group to use when no root privileges are required.
        '';
       };

      bindSocket.type = mkOption {
        type = types.enum [ "unix" "inet" ];
        default = "unix";
        description = ''
          What kind of socket rmilter should listen on. Either "unix"
          for an Unix domain socket or "inet" for a TCP socket.
        '';
      };

      bindSocket.path = mkOption {
       type = types.str;
       default = "/run/rmilter.sock";
       description = ''
          Path to Unix domain socket to listen on.
        '';
      };

      bindSocket.address = mkOption {
        type = types.str;
        default = "[::1]";
        example = "0.0.0.0";
        description = ''
          Inet address to listen on.
        '';
      };

      bindSocket.port = mkOption {
        type = types.int;
        default = 11990;
        description = ''
          Inet port to listen on.
        '';
      };

      socketActivation = mkOption {
        type = types.bool;
        default = true;
        description = ''
          Enable systemd socket activation for rmilter.

          Disabling socket activation is not recommended when a Unix
          domain socket is used and could lead to incorrect
          permissions.
        '';
      };

      rspamd = {
        enable = mkOption {
          type = types.bool;
          default = rspamdCfg.enable;
          description = "Whether to use rspamd to filter mails";
        };

        servers = mkOption {
          type = types.listOf types.str;
          default = ["r:/run/rspamd/rspamd.sock"];
          description = ''
            Spamd socket definitions.
            Is server name is prefixed with r: it is rspamd server.
          '';
        };

        whitelist = mkOption {
          type = types.listOf types.str;
          default = [ ];
          description = "list of ips or nets that should be not checked with spamd";
        };

        rejectMessage = mkOption {
          type = types.str;
          default = "Spam message rejected; If this is not spam contact abuse";
          description = "reject message for spam";
        };

        extraConfig = mkOption {
          type = types.lines;
          default = "";
          description = "Custom snippet to append to end of `spamd' section";
        };
      };

      extraConfig = mkOption {
        type = types.lines;
        default = "";
        description = "Custom snippet to append to rmilter config";
      };

      postfix = {
        enable = mkOption {
          type = types.bool;
          default = false;
          description = "Add rmilter to postfix main.conf";
        };

        configFragment = mkOption {
          type = types.str;
          description = "Addon to postfix configuration";
          default = ''
            smtpd_milters = ${rmilterSocket}
            milter_protocol = 6
            milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
          '';
        };
      };

    };

  };


  ###### implementation

  config = mkMerge [

    (mkIf cfg.enable {
      warnings = [
        ''`config.services.rmilter' is deprecated, `rmilter' deprecated and unsupported by upstream, and will be removed from next releases. Use built-in rspamd milter instead.''
      ];

      users.users = singleton {
        name = cfg.user;
        description = "rmilter daemon";
        uid = config.ids.uids.rmilter;
        group = cfg.group;
      };

      users.groups = singleton {
        name = cfg.group;
        gid = config.ids.gids.rmilter;
      };

      systemd.services.rmilter = {
        description = "Rmilter Service";

        wantedBy = [ "multi-user.target" ];
        after = [ "network.target" ];

        serviceConfig = {
          ExecStart = "${pkgs.rmilter}/bin/rmilter ${optionalString cfg.debug "-d"} -n -c ${rmilterConfigFile}";
          ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID";
          User = cfg.user;
          Group = cfg.group;
          PermissionsStartOnly = true;
          Restart = "always";
          RuntimeDirectory = "rmilter";
          RuntimeDirectoryMode = "0750";
        };

      };

      systemd.sockets.rmilter = mkIf cfg.socketActivation {
        description = "Rmilter service socket";
        wantedBy = [ "sockets.target" ];
        socketConfig = {
          ListenStream = systemdSocket;
          SocketUser = cfg.user;
          SocketGroup = cfg.group;
          SocketMode = "0660";
        };
      };
    })

    (mkIf (cfg.enable && cfg.rspamd.enable && rspamdCfg.enable) {
      users.users.${cfg.user}.extraGroups = [ rspamdCfg.group ];
    })

    (mkIf (cfg.enable && cfg.postfix.enable) {
      services.postfix.extraConfig = cfg.postfix.configFragment;
      users.users.${postfixCfg.user}.extraGroups = [ cfg.group ];
    })
  ];
}
nixos: add module for rmilter 2016-01-14 11:17:27 +02:00			`{ config, lib, pkgs, ... }:`

			`with lib;`

			`let`

			`rspamdCfg = config.services.rspamd;`
rmilter/rspamd service: tighten unix socket permissions 2017-03-17 23:01:24 +01:00			`postfixCfg = config.services.postfix;`
nixos: add module for rmilter 2016-01-14 11:17:27 +02:00			`cfg = config.services.rmilter;`

rmilter: fix inetSocket IPv6 address has to be between [] and the port after. 2018-09-09 22:45:05 +02:00			`inetSocket = addr: port: "inet:${addr}:${toString port}";`
rmilter service: support only one socket 2017-01-28 02:46:16 +01:00			`unixSocket = sock: "unix:${sock}";`
rmilter: socket activation in nixos 2016-02-12 18:11:40 +02:00
rmilter service: support only one socket 2017-01-28 02:46:16 +01:00			`systemdSocket = if cfg.bindSocket.type == "unix" then cfg.bindSocket.path`
			`else "${cfg.bindSocket.address}:${toString cfg.bindSocket.port}";`
			`rmilterSocket = if cfg.bindSocket.type == "unix" then unixSocket cfg.bindSocket.path`
			`else inetSocket cfg.bindSocket.address cfg.bindSocket.port;`
rmilter: socket activation in nixos 2016-02-12 18:11:40 +02:00
nixos: add module for rmilter 2016-01-14 11:17:27 +02:00			`rmilterConf = ''`
rmilter service: Fix a couple of bugs * The module uses `stringSplit` but it should be `splitString` * `rmilter` doesn't actually support binding to multiple sockets. Therefore, bind to the last one specified if `socketActivation` is `false`. I also believe there is a bug in this module related to systemd `ListenStream`. If `socketActivation` is true, Postfix gets connection timeouts trying to connect to one of the `ListenStream` inet addresses. I don't know enough about `ListenStream` passing connections on to `fd:3` to understand what's going on. These changes are in production (with `socketActivation = false`) via NixOps. 2017-01-13 15:23:34 -07:00			`pidfile = /run/rmilter/rmilter.pid;`
rmilter service: support only one socket 2017-01-28 02:46:16 +01:00			`bind_socket = ${if cfg.socketActivation then "fd:3" else rmilterSocket};`
rmilter service: Fix a couple of bugs * The module uses `stringSplit` but it should be `splitString` * `rmilter` doesn't actually support binding to multiple sockets. Therefore, bind to the last one specified if `socketActivation` is `false`. I also believe there is a bug in this module related to systemd `ListenStream`. If `socketActivation` is true, Postfix gets connection timeouts trying to connect to one of the `ListenStream` inet addresses. I don't know enough about `ListenStream` passing connections on to `fd:3` to understand what's going on. These changes are in production (with `socketActivation = false`) via NixOps. 2017-01-13 15:23:34 -07:00			`tempdir = /tmp;`
nixos: add module for rmilter 2016-01-14 11:17:27 +02:00			`'' + (with cfg.rspamd; if enable then ''`
rmilter service: Fix a couple of bugs * The module uses `stringSplit` but it should be `splitString` * `rmilter` doesn't actually support binding to multiple sockets. Therefore, bind to the last one specified if `socketActivation` is `false`. I also believe there is a bug in this module related to systemd `ListenStream`. If `socketActivation` is true, Postfix gets connection timeouts trying to connect to one of the `ListenStream` inet addresses. I don't know enough about `ListenStream` passing connections on to `fd:3` to understand what's going on. These changes are in production (with `socketActivation = false`) via NixOps. 2017-01-13 15:23:34 -07:00			`spamd {`
			`servers = ${concatStringsSep ", " servers};`
			`connect_timeout = 1s;`
			`results_timeout = 20s;`
			`error_time = 10;`
			`dead_time = 300;`
			`maxerrors = 10;`
			`reject_message = "${rejectMessage}";`
			`${optionalString (length whitelist != 0) "whitelist = ${concatStringsSep ", " whitelist};"}`

			`# rspamd_metric - metric for using with rspamd`
			`# Default: "default"`
			`rspamd_metric = "default";`
			`${extraConfig}`
			`};`
rmilter service: support only one socket 2017-01-28 02:46:16 +01:00			`'' else "") + cfg.extraConfig;`
nixos: add module for rmilter 2016-01-14 11:17:27 +02:00
			`rmilterConfigFile = pkgs.writeText "rmilter.conf" rmilterConf;`

			`in`

			`{`

			`###### interface`

			`options = {`

			`services.rmilter = {`

			`enable = mkOption {`
rmilter service: support only one socket 2017-01-28 02:46:16 +01:00			`type = types.bool;`
nixos/rmilter: don't enable by default, if rspamd enabled 2018-10-12 17:28:48 +03:00			`default = false;`
nixos: add module for rmilter 2016-01-14 11:17:27 +02:00			`description = "Whether to run the rmilter daemon.";`
			`};`

			`debug = mkOption {`
rmilter service: support only one socket 2017-01-28 02:46:16 +01:00			`type = types.bool;`
nixos: add module for rmilter 2016-01-14 11:17:27 +02:00			`default = false;`
			`description = "Whether to run the rmilter daemon in debug mode.";`
			`};`

			`user = mkOption {`
			`type = types.string;`
			`default = "rmilter";`
			`description = ''`
			`User to use when no root privileges are required.`
			`'';`
			`};`

			`group = mkOption {`
			`type = types.string;`
			`default = "rmilter";`
			`description = ''`
			`Group to use when no root privileges are required.`
			`'';`
			`};`

rmilter service: support only one socket 2017-01-28 02:46:16 +01:00			`bindSocket.type = mkOption {`
			`type = types.enum [ "unix" "inet" ];`
			`default = "unix";`
rmilter: socket activation in nixos 2016-02-12 18:11:40 +02:00			`description = ''`
rmilter service: support only one socket 2017-01-28 02:46:16 +01:00			`What kind of socket rmilter should listen on. Either "unix"`
			`for an Unix domain socket or "inet" for a TCP socket.`
rmilter: socket activation in nixos 2016-02-12 18:11:40 +02:00			`'';`
rmilter service: support only one socket 2017-01-28 02:46:16 +01:00			`};`

			`bindSocket.path = mkOption {`
			`type = types.str;`
rmilter: move rmilter.sock out of /run/rmilter /run/rmilter is set by systemd, and have root:root ownership, which prevent pid file to write. This fix suggested to be promoted to 18.09 branch. (Although rmilter itself is deprecated, and I plan to remove it, after 18.09 would be released) 2018-09-10 19:43:17 +03:00			`default = "/run/rmilter.sock";`
rmilter service: support only one socket 2017-01-28 02:46:16 +01:00			`description = ''`
			`Path to Unix domain socket to listen on.`
rmilter: socket activation in nixos 2016-02-12 18:11:40 +02:00			`'';`
			`};`

rmilter service: support only one socket 2017-01-28 02:46:16 +01:00			`bindSocket.address = mkOption {`
			`type = types.str;`
rmilter: fix inetSocket IPv6 address has to be between [] and the port after. 2018-09-09 22:45:05 +02:00			`default = "[::1]";`
rmilter service: support only one socket 2017-01-28 02:46:16 +01:00			`example = "0.0.0.0";`
rmilter: socket activation in nixos 2016-02-12 18:11:40 +02:00			`description = ''`
rmilter service: support only one socket 2017-01-28 02:46:16 +01:00			`Inet address to listen on.`
rmilter: socket activation in nixos 2016-02-12 18:11:40 +02:00			`'';`
rmilter service: support only one socket 2017-01-28 02:46:16 +01:00			`};`

			`bindSocket.port = mkOption {`
			`type = types.int;`
			`default = 11990;`
			`description = ''`
			`Inet port to listen on.`
rmilter: socket activation in nixos 2016-02-12 18:11:40 +02:00			`'';`
			`};`

			`socketActivation = mkOption {`
			`type = types.bool;`
			`default = true;`
			`description = ''`
			`Enable systemd socket activation for rmilter.`
rmilter service: Fix a couple of bugs * The module uses `stringSplit` but it should be `splitString` * `rmilter` doesn't actually support binding to multiple sockets. Therefore, bind to the last one specified if `socketActivation` is `false`. I also believe there is a bug in this module related to systemd `ListenStream`. If `socketActivation` is true, Postfix gets connection timeouts trying to connect to one of the `ListenStream` inet addresses. I don't know enough about `ListenStream` passing connections on to `fd:3` to understand what's going on. These changes are in production (with `socketActivation = false`) via NixOps. 2017-01-13 15:23:34 -07:00
			`Disabling socket activation is not recommended when a Unix`
			`domain socket is used and could lead to incorrect`
rmilter service: support only one socket 2017-01-28 02:46:16 +01:00			`permissions.`
rmilter: socket activation in nixos 2016-02-12 18:11:40 +02:00			`'';`
nixos: add module for rmilter 2016-01-14 11:17:27 +02:00			`};`

			`rspamd = {`
			`enable = mkOption {`
rmilter service: support only one socket 2017-01-28 02:46:16 +01:00			`type = types.bool;`
nixos: add module for rmilter 2016-01-14 11:17:27 +02:00			`default = rspamdCfg.enable;`
			`description = "Whether to use rspamd to filter mails";`
			`};`

			`servers = mkOption {`
			`type = types.listOf types.str;`
rmilter service: use runtime dirctory for socket 2016-07-28 06:03:01 +02:00			`default = ["r:/run/rspamd/rspamd.sock"];`
nixos: add module for rmilter 2016-01-14 11:17:27 +02:00			`description = ''`
			`Spamd socket definitions.`
			`Is server name is prefixed with r: it is rspamd server.`
			`'';`
			`};`

			`whitelist = mkOption {`
			`type = types.listOf types.str;`
			`default = [ ];`
			`description = "list of ips or nets that should be not checked with spamd";`
			`};`

			`rejectMessage = mkOption {`
			`type = types.str;`
			`default = "Spam message rejected; If this is not spam contact abuse";`
			`description = "reject message for spam";`
			`};`

			`extraConfig = mkOption {`
			`type = types.lines;`
			`default = "";`
			description = "Custom snippet to append to end of `spamd' section";
			`};`
			`};`

			`extraConfig = mkOption {`
			`type = types.lines;`
			`default = "";`
			`description = "Custom snippet to append to rmilter config";`
			`};`

			`postfix = {`
			`enable = mkOption {`
			`type = types.bool;`
			`default = false;`
			`description = "Add rmilter to postfix main.conf";`
			`};`

			`configFragment = mkOption {`
			`type = types.str;`
			`description = "Addon to postfix configuration";`
			`default = ''`
rmilter service: support only one socket 2017-01-28 02:46:16 +01:00			`smtpd_milters = ${rmilterSocket}`
			`milter_protocol = 6`
			`milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}`
nixos: add module for rmilter 2016-01-14 11:17:27 +02:00			`'';`
			`};`
			`};`

			`};`

			`};`


			`###### implementation`

rmilter service: support only one socket 2017-01-28 02:46:16 +01:00			`config = mkMerge [`
nixos: add module for rmilter 2016-01-14 11:17:27 +02:00
rmilter service: support only one socket 2017-01-28 02:46:16 +01:00			`(mkIf cfg.enable {`
rmilter: deprecation notice 2018-09-11 06:20:55 +03:00			`warnings = [`
			''`config.services.rmilter' is deprecated, `rmilter' deprecated and unsupported by upstream, and will be removed from next releases. Use built-in rspamd milter instead.''
			`];`
nixos: add module for rmilter 2016-01-14 11:17:27 +02:00
nixos/modules: users.(extraUsers\|extraGroup->users\|group) 2018-06-30 01:58:35 +02:00			`users.users = singleton {`
rmilter service: support only one socket 2017-01-28 02:46:16 +01:00			`name = cfg.user;`
			`description = "rmilter daemon";`
			`uid = config.ids.uids.rmilter;`
			`group = cfg.group;`
			`};`
nixos: add module for rmilter 2016-01-14 11:17:27 +02:00
nixos/modules: users.(extraUsers\|extraGroup->users\|group) 2018-06-30 01:58:35 +02:00			`users.groups = singleton {`
rmilter service: support only one socket 2017-01-28 02:46:16 +01:00			`name = cfg.group;`
			`gid = config.ids.gids.rmilter;`
nixos: add module for rmilter 2016-01-14 11:17:27 +02:00			`};`

rmilter service: support only one socket 2017-01-28 02:46:16 +01:00			`systemd.services.rmilter = {`
			`description = "Rmilter Service";`

			`wantedBy = [ "multi-user.target" ];`
			`after = [ "network.target" ];`

			`serviceConfig = {`
			`ExecStart = "${pkgs.rmilter}/bin/rmilter ${optionalString cfg.debug "-d"} -n -c ${rmilterConfigFile}";`
			`ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID";`
			`User = cfg.user;`
			`Group = cfg.group;`
			`PermissionsStartOnly = true;`
			`Restart = "always";`
			`RuntimeDirectory = "rmilter";`
rmilter/rspamd service: tighten unix socket permissions 2017-03-17 23:01:24 +01:00			`RuntimeDirectoryMode = "0750";`
rmilter service: support only one socket 2017-01-28 02:46:16 +01:00			`};`
nixos: add module for rmilter 2016-01-14 11:17:27 +02:00
rmilter: socket activation in nixos 2016-02-12 18:11:40 +02:00			`};`
nixos: add module for rmilter 2016-01-14 11:17:27 +02:00
rmilter service: support only one socket 2017-01-28 02:46:16 +01:00			`systemd.sockets.rmilter = mkIf cfg.socketActivation {`
			`description = "Rmilter service socket";`
			`wantedBy = [ "sockets.target" ];`
			`socketConfig = {`
			`ListenStream = systemdSocket;`
			`SocketUser = cfg.user;`
			`SocketGroup = cfg.group;`
rmilter/rspamd service: tighten unix socket permissions 2017-03-17 23:01:24 +01:00			`SocketMode = "0660";`
rmilter service: support only one socket 2017-01-28 02:46:16 +01:00			`};`
			`};`
			`})`

rmilter/rspamd service: tighten unix socket permissions 2017-03-17 23:01:24 +01:00			`(mkIf (cfg.enable && cfg.rspamd.enable && rspamdCfg.enable) {`
nixos/modules: users.(extraUsers\|extraGroup->users\|group) 2018-06-30 01:58:35 +02:00			`users.users.${cfg.user}.extraGroups = [ rspamdCfg.group ];`
rmilter/rspamd service: tighten unix socket permissions 2017-03-17 23:01:24 +01:00			`})`
rmilter service: support only one socket 2017-01-28 02:46:16 +01:00
rmilter/rspamd service: tighten unix socket permissions 2017-03-17 23:01:24 +01:00			`(mkIf (cfg.enable && cfg.postfix.enable) {`
rmilter service: support only one socket 2017-01-28 02:46:16 +01:00			`services.postfix.extraConfig = cfg.postfix.configFragment;`
nixos/modules: users.(extraUsers\|extraGroup->users\|group) 2018-06-30 01:58:35 +02:00			`users.users.${postfixCfg.user}.extraGroups = [ cfg.group ];`
rmilter service: support only one socket 2017-01-28 02:46:16 +01:00			`})`
			`];`
nixos: add module for rmilter 2016-01-14 11:17:27 +02:00			`}`