diff options
Diffstat (limited to 'krebs/3modules/exim-retiolum.nix')
| -rw-r--r-- | krebs/3modules/exim-retiolum.nix | 117 |
1 files changed, 104 insertions, 13 deletions
diff --git a/krebs/3modules/exim-retiolum.nix b/krebs/3modules/exim-retiolum.nix index e0802497..a16661c9 100644 --- a/krebs/3modules/exim-retiolum.nix +++ b/krebs/3modules/exim-retiolum.nix @@ -1,15 +1,22 @@ -{ config, pkgs, lib, ... }: - with import <stockholm/lib>; -let +{ config, pkgs, lib, ... }: let cfg = config.krebs.exim-retiolum; - out = { - options.krebs.exim-retiolum = api; - config = lib.mkIf cfg.enable imp; - }; - - api = { + # Due to improvements to the JSON notation, braces around top-level objects + # are not necessary^Wsupported by rspamd's parser when including files: + # https://github.com/rspamd/rspamd/issues/2674 + toMostlyJSON = value: + assert typeOf value == "set"; + (s: substring 1 (stringLength s - 2) s) + (toJSON value); + + to-lsearch = concatMapStrings ({ from, to, ... }: "${from}: ${to}\n"); + lsearch = mapAttrs (name: set: toFile name (to-lsearch set)) ({ + inherit (cfg) system-aliases; + }); + +in { + options.krebs.exim-retiolum = { enable = mkEnableOption "krebs.exim-retiolum"; local_domains = mkOption { type = with types; listOf hostname; @@ -28,22 +35,83 @@ let "*.r" ]; }; + rspamd = { + enable = mkEnableOption "krebs.exim-retiolum.rspamd" // { + default = false; + }; + locals = { + logging = { + level = mkOption { + type = types.enum [ + "error" + "warning" + "notice" + "info" + "debug" + "silent" + ]; + default = "notice"; + }; + }; + options = { + local_networks = mkOption { + type = types.listOf types.cidr; + default = [ + config.krebs.build.host.nets.retiolum.ip4.prefix + config.krebs.build.host.nets.retiolum.ip6.prefix + ]; + }; + }; + }; + }; + system-aliases = mkOption { + type = types.listOf (types.submodule ({ + options = { + from = mkOption { + type = types.str; # TODO e-mail address + }; + to = mkOption { + type = types.str; # TODO e-mail address / TODO listOf + }; + }; + })); + default = []; + }; }; - - imp = { + imports = [ + { + config = lib.mkIf cfg.rspamd.enable { + services.rspamd.enable = true; + services.rspamd.locals = + mapAttrs' + (name: value: nameValuePair "${name}.inc" { + text = toMostlyJSON value; + }) + cfg.rspamd.locals; + users.users.${config.krebs.exim.user.name}.extraGroups = [ + config.services.rspamd.group + ]; + }; + } + ]; + config = lib.mkIf cfg.enable { krebs.exim = { enable = true; config = # This configuration makes only sense for retiolum-enabled hosts. # TODO modular configuration assert config.krebs.tinc.retiolum.enable; - '' + /* exim */ '' keep_environment = primary_hostname = ${cfg.primary_hostname} domainlist local_domains = ${concatStringsSep ":" cfg.local_domains} domainlist relay_to_domains = ${concatStringsSep ":" cfg.relay_to_domains} + ${optionalString cfg.rspamd.enable /* exim */ '' + spamd_address = /run/rspamd/rspamd.sock variant=rspamd + ''} + acl_smtp_rcpt = acl_check_rcpt acl_smtp_data = acl_check_data @@ -72,11 +140,34 @@ let acl_check_data: + ${optionalString cfg.rspamd.enable /* exim */ '' + accept condition = ''${if eq{$interface_port}{587}} + + warn remove_header = ${concatStringsSep " : " [ + "x-spam" + "x-spam-report" + "x-spam-score" + ]} + + warn + spam = nobody:true + + warn + condition = ''${if !eq{$spam_action}{no action}} + add_header = X-Spam: Yes + add_header = X-Spam-Report: $spam_report + add_header = X-Spam-Score: $spam_score + ''} accept begin routers + system_aliases: + debug_print = "R: system_aliases for $local_part@$domain" + driver = redirect + data = ''${lookup{$local_part}lsearch{${lsearch.system-aliases}}} + local: driver = accept domains = +local_domains @@ -118,4 +209,4 @@ let ''; }; }; -in out +} |