From 167176b41790541bd6a03f0ba1358b3d70a0531f Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Sat, 22 Jun 2019 12:43:32 +0200
Subject: exim-retiolum module: drop api and imp

---
 krebs/3modules/exim-retiolum.nix | 18 +++++-------------
 1 file changed, 5 insertions(+), 13 deletions(-)

(limited to 'krebs/3modules/exim-retiolum.nix')

diff --git a/krebs/3modules/exim-retiolum.nix b/krebs/3modules/exim-retiolum.nix
index e0802497..bf37a1ef 100644
--- a/krebs/3modules/exim-retiolum.nix
+++ b/krebs/3modules/exim-retiolum.nix
@@ -1,15 +1,8 @@
-{ config, pkgs, lib, ... }:
-
 with import <stockholm/lib>;
-let
+{ config, pkgs, lib, ... }: let
   cfg = config.krebs.exim-retiolum;
-
-  out = {
-    options.krebs.exim-retiolum = api;
-    config = lib.mkIf cfg.enable imp;
-  };
-
-  api = {
+in {
+  options.krebs.exim-retiolum = {
     enable = mkEnableOption "krebs.exim-retiolum";
     local_domains = mkOption {
       type = with types; listOf hostname;
@@ -29,8 +22,7 @@ let
       ];
     };
   };
-
-  imp = {
+  config = lib.mkIf cfg.enable {
     krebs.exim = {
       enable = true;
       config =
@@ -118,4 +110,4 @@ let
         '';
     };
   };
-in out
+}
-- 
cgit v1.2.3


From 3d4d39eecc86b9b67c74ec3c9997099c3f243970 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Sat, 22 Jun 2019 12:55:16 +0200
Subject: exim modules: mark nested syntax

---
 krebs/3modules/exim-retiolum.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'krebs/3modules/exim-retiolum.nix')

diff --git a/krebs/3modules/exim-retiolum.nix b/krebs/3modules/exim-retiolum.nix
index bf37a1ef..dbd98d05 100644
--- a/krebs/3modules/exim-retiolum.nix
+++ b/krebs/3modules/exim-retiolum.nix
@@ -29,7 +29,7 @@ in {
         # This configuration makes only sense for retiolum-enabled hosts.
         # TODO modular configuration
         assert config.krebs.tinc.retiolum.enable;
-        ''
+        /* exim */ ''
           keep_environment =
 
           primary_hostname = ${cfg.primary_hostname}
-- 
cgit v1.2.3


From bd12c487c31b448b87e37efbae74953df689e7f4 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Sun, 23 Jun 2019 21:06:48 +0200
Subject: exim-retiolum module: integrate rspamd

---
 krebs/3modules/exim-retiolum.nix | 47 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)

(limited to 'krebs/3modules/exim-retiolum.nix')

diff --git a/krebs/3modules/exim-retiolum.nix b/krebs/3modules/exim-retiolum.nix
index dbd98d05..854fdd70 100644
--- a/krebs/3modules/exim-retiolum.nix
+++ b/krebs/3modules/exim-retiolum.nix
@@ -21,7 +21,32 @@ in {
         "*.r"
       ];
     };
+    rspamd = {
+      enable = mkEnableOption "krebs.exim-retiolum.rspamd" // {
+        default = false;
+      };
+      local_networks = mkOption {
+        type = types.listOf types.cidr;
+        default = [
+          config.krebs.build.host.nets.retiolum.ip4.prefix
+          config.krebs.build.host.nets.retiolum.ip6.prefix
+        ];
+      };
+    };
   };
+  imports = [
+    {
+      config = lib.mkIf cfg.rspamd.enable {
+        services.rspamd.enable = true;
+        services.rspamd.locals."options.inc".text = ''
+          local_networks = ${toJSON cfg.rspamd.local_networks};
+        '';
+        users.users.${config.krebs.exim.user.name}.extraGroups = [
+          config.services.rspamd.group
+        ];
+      };
+    }
+  ];
   config = lib.mkIf cfg.enable {
     krebs.exim = {
       enable = true;
@@ -36,6 +61,10 @@ in {
           domainlist local_domains = ${concatStringsSep ":" cfg.local_domains}
           domainlist relay_to_domains = ${concatStringsSep ":" cfg.relay_to_domains}
 
+          ${optionalString cfg.rspamd.enable /* exim */ ''
+            spamd_address = /run/rspamd/rspamd.sock variant=rspamd
+          ''}
+
           acl_smtp_rcpt = acl_check_rcpt
           acl_smtp_data = acl_check_data
 
@@ -64,6 +93,24 @@ in {
 
 
           acl_check_data:
+            ${optionalString cfg.rspamd.enable /* exim */ ''
+              accept condition = ''${if eq{$interface_port}{587}}
+
+              warn remove_header = ${concatStringsSep " : " [
+                "x-spam"
+                "x-spam-report"
+                "x-spam-score"
+              ]}
+
+              warn
+                spam = nobody:true
+
+              warn
+                condition = ''${if !eq{$spam_action}{no action}}
+                add_header = X-Spam: Yes
+                add_header = X-Spam-Report: $spam_report
+                add_header = X-Spam-Score: $spam_score
+            ''}
             accept
 
 
-- 
cgit v1.2.3


From 8a48f8dd6802c3239d433d381228e86fc2781e29 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Mon, 24 Jun 2019 03:15:34 +0200
Subject: exim-retiolum module: replace UCL by "JSON"

---
 krebs/3modules/exim-retiolum.nix | 34 +++++++++++++++++++++++++---------
 1 file changed, 25 insertions(+), 9 deletions(-)

(limited to 'krebs/3modules/exim-retiolum.nix')

diff --git a/krebs/3modules/exim-retiolum.nix b/krebs/3modules/exim-retiolum.nix
index 854fdd70..89a05c8f 100644
--- a/krebs/3modules/exim-retiolum.nix
+++ b/krebs/3modules/exim-retiolum.nix
@@ -1,6 +1,15 @@
 with import <stockholm/lib>;
 { config, pkgs, lib, ... }: let
   cfg = config.krebs.exim-retiolum;
+
+  # Due to improvements to the JSON notation, braces around top-level objects
+  # are not necessary^Wsupported by rspamd's parser when including files:
+  # https://github.com/rspamd/rspamd/issues/2674
+  toMostlyJSON = value:
+    assert typeOf value == "set";
+    (s: substring 1 (stringLength s - 2) s)
+    (toJSON value);
+
 in {
   options.krebs.exim-retiolum = {
     enable = mkEnableOption "krebs.exim-retiolum";
@@ -25,12 +34,16 @@ in {
       enable = mkEnableOption "krebs.exim-retiolum.rspamd" // {
         default = false;
       };
-      local_networks = mkOption {
-        type = types.listOf types.cidr;
-        default = [
-          config.krebs.build.host.nets.retiolum.ip4.prefix
-          config.krebs.build.host.nets.retiolum.ip6.prefix
-        ];
+      locals = {
+        options = {
+          local_networks = mkOption {
+            type = types.listOf types.cidr;
+            default = [
+              config.krebs.build.host.nets.retiolum.ip4.prefix
+              config.krebs.build.host.nets.retiolum.ip6.prefix
+            ];
+          };
+        };
       };
     };
   };
@@ -38,9 +51,12 @@ in {
     {
       config = lib.mkIf cfg.rspamd.enable {
         services.rspamd.enable = true;
-        services.rspamd.locals."options.inc".text = ''
-          local_networks = ${toJSON cfg.rspamd.local_networks};
-        '';
+        services.rspamd.locals =
+          mapAttrs'
+            (name: value: nameValuePair "${name}.inc" {
+              text = toMostlyJSON value;
+            })
+            cfg.rspamd.locals;
         users.users.${config.krebs.exim.user.name}.extraGroups = [
           config.services.rspamd.group
         ];
-- 
cgit v1.2.3


From d343910e98736a94431fcac3da21274d2ecec449 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Mon, 24 Jun 2019 03:16:02 +0200
Subject: exim-retiolum module: optionalize rspamd log level

---
 krebs/3modules/exim-retiolum.nix | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'krebs/3modules/exim-retiolum.nix')

diff --git a/krebs/3modules/exim-retiolum.nix b/krebs/3modules/exim-retiolum.nix
index 89a05c8f..118a8b2d 100644
--- a/krebs/3modules/exim-retiolum.nix
+++ b/krebs/3modules/exim-retiolum.nix
@@ -35,6 +35,19 @@ in {
         default = false;
       };
       locals = {
+        logging = {
+          level = mkOption {
+            type = types.enum [
+              "error"
+              "warning"
+              "notice"
+              "info"
+              "debug"
+              "silent"
+            ];
+            default = "notice";
+          };
+        };
         options = {
           local_networks = mkOption {
             type = types.listOf types.cidr;
-- 
cgit v1.2.3