pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / mail / rmilter.nix
at 16.09-beta 6.0 kB view raw
1{ config, lib, pkgs, ... }: 2 3with lib; 4 5let 6 7 rspamdCfg = config.services.rspamd; 8 cfg = config.services.rmilter; 9 10 inetSockets = map (sock: let s = stringSplit ":" sock; in "inet:${last s}:${head s}") cfg.bindInetSockets; 11 unixSockets = map (sock: "unix:${sock}") cfg.bindUnixSockets; 12 13 allSockets = unixSockets ++ inetSockets; 14 15 rmilterConf = '' 16pidfile = /run/rmilter/rmilter.pid; 17bind_socket = ${if cfg.socketActivation then "fd:3" else concatStringsSep ", " allSockets}; 18tempdir = /tmp; 19 20 '' + (with cfg.rspamd; if enable then '' 21spamd { 22 servers = ${concatStringsSep ", " servers}; 23 connect_timeout = 1s; 24 results_timeout = 20s; 25 error_time = 10; 26 dead_time = 300; 27 maxerrors = 10; 28 reject_message = "${rejectMessage}"; 29 ${optionalString (length whitelist != 0) "whitelist = ${concatStringsSep ", " whitelist};"} 30 31 # rspamd_metric - metric for using with rspamd 32 # Default: "default" 33 rspamd_metric = "default"; 34 ${extraConfig} 35}; 36 '' else "") + cfg.extraConfig; 37 38 rmilterConfigFile = pkgs.writeText "rmilter.conf" rmilterConf; 39 40in 41 42{ 43 44 ###### interface 45 46 options = { 47 48 services.rmilter = { 49 50 enable = mkOption { 51 default = cfg.rspamd.enable; 52 description = "Whether to run the rmilter daemon."; 53 }; 54 55 debug = mkOption { 56 default = false; 57 description = "Whether to run the rmilter daemon in debug mode."; 58 }; 59 60 user = mkOption { 61 type = types.string; 62 default = "rmilter"; 63 description = '' 64 User to use when no root privileges are required. 65 ''; 66 }; 67 68 group = mkOption { 69 type = types.string; 70 default = "rmilter"; 71 description = '' 72 Group to use when no root privileges are required. 73 ''; 74 }; 75 76 bindUnixSockets = mkOption { 77 type = types.listOf types.str; 78 default = ["/run/rmilter/rmilter.sock"]; 79 description = '' 80 Unix domain sockets to listen for MTA requests. 81 ''; 82 example = '' 83 [ "/run/rmilter.sock"] 84 ''; 85 }; 86 87 bindInetSockets = mkOption { 88 type = types.listOf types.str; 89 default = []; 90 description = '' 91 Inet addresses to listen (in format accepted by systemd.socket) 92 ''; 93 example = '' 94 ["127.0.0.1:11990"] 95 ''; 96 }; 97 98 socketActivation = mkOption { 99 type = types.bool; 100 default = true; 101 description = '' 102 Enable systemd socket activation for rmilter. 103 (disabling socket activation not recommended 104 when unix socket used, and follow to wrong 105 permissions on unix domain socket.) 106 ''; 107 }; 108 109 rspamd = { 110 enable = mkOption { 111 default = rspamdCfg.enable; 112 description = "Whether to use rspamd to filter mails"; 113 }; 114 115 servers = mkOption { 116 type = types.listOf types.str; 117 default = ["r:/run/rspamd/rspamd.sock"]; 118 description = '' 119 Spamd socket definitions. 120 Is server name is prefixed with r: it is rspamd server. 121 ''; 122 }; 123 124 whitelist = mkOption { 125 type = types.listOf types.str; 126 default = [ ]; 127 description = "list of ips or nets that should be not checked with spamd"; 128 }; 129 130 rejectMessage = mkOption { 131 type = types.str; 132 default = "Spam message rejected; If this is not spam contact abuse"; 133 description = "reject message for spam"; 134 }; 135 136 extraConfig = mkOption { 137 type = types.lines; 138 default = ""; 139 description = "Custom snippet to append to end of `spamd' section"; 140 }; 141 }; 142 143 extraConfig = mkOption { 144 type = types.lines; 145 default = ""; 146 description = "Custom snippet to append to rmilter config"; 147 }; 148 149 postfix = { 150 enable = mkOption { 151 type = types.bool; 152 default = false; 153 description = "Add rmilter to postfix main.conf"; 154 }; 155 156 configFragment = mkOption { 157 type = types.str; 158 description = "Addon to postfix configuration"; 159 default = '' 160smtpd_milters = ${head allSockets} 161# or for TCP socket 162# # smtpd_milters = inet:localhost:9900 163milter_protocol = 6 164milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} 165# skip mail without checks if milter will die 166milter_default_action = accept 167 ''; 168 }; 169 }; 170 171 }; 172 173 }; 174 175 176 ###### implementation 177 178 config = mkIf cfg.enable { 179 180 users.extraUsers = singleton { 181 name = cfg.user; 182 description = "rspamd daemon"; 183 uid = config.ids.uids.rmilter; 184 group = cfg.group; 185 }; 186 187 users.extraGroups = singleton { 188 name = cfg.group; 189 gid = config.ids.gids.rmilter; 190 }; 191 192 systemd.services.rmilter = { 193 description = "Rmilter Service"; 194 195 wantedBy = [ "multi-user.target" ]; 196 after = [ "network.target" ]; 197 198 serviceConfig = { 199 ExecStart = "${pkgs.rmilter}/bin/rmilter ${optionalString cfg.debug "-d"} -n -c ${rmilterConfigFile}"; 200 ExecReload = "${pkgs.coreutils}/bin/kill -USR1 $MAINPID"; 201 User = cfg.user; 202 Group = cfg.group; 203 PermissionsStartOnly = true; 204 Restart = "always"; 205 RuntimeDirectory = "rmilter"; 206 RuntimeDirectoryPermissions="0755"; 207 }; 208 209 }; 210 211 systemd.sockets.rmilter = mkIf cfg.socketActivation { 212 description = "Rmilter service socket"; 213 wantedBy = [ "sockets.target" ]; 214 socketConfig = { 215 ListenStream = cfg.bindUnixSockets ++ cfg.bindInetSockets; 216 SocketUser = cfg.user; 217 SocketGroup = cfg.group; 218 SocketMode = "0666"; 219 }; 220 }; 221 222 services.postfix.extraConfig = optionalString cfg.postfix.enable cfg.postfix.configFragment; 223 users.users.postfix.extraGroups = [ cfg.group ]; 224 }; 225 226}