stockholm/krebs/3modules/exim-retiolum.nix

190 lines
5 KiB
Nix
Raw Normal View History

2016-10-20 20:54:38 +02:00
with import <stockholm/lib>;
2019-06-22 12:43:32 +02:00
{ config, pkgs, lib, ... }: let
2015-08-13 11:46:09 +02:00
cfg = config.krebs.exim-retiolum;
# Due to improvements to the JSON notation, braces around top-level objects
# are not necessary^Wsupported by rspamd's parser when including files:
# https://github.com/rspamd/rspamd/issues/2674
toMostlyJSON = value:
assert typeOf value == "set";
(s: substring 1 (stringLength s - 2) s)
(toJSON value);
2019-06-22 12:43:32 +02:00
in {
options.krebs.exim-retiolum = {
2015-08-13 11:46:09 +02:00
enable = mkEnableOption "krebs.exim-retiolum";
2016-02-21 21:51:11 +01:00
local_domains = mkOption {
type = with types; listOf hostname;
default = ["localhost"] ++ config.krebs.build.host.nets.retiolum.aliases;
};
primary_hostname = mkOption {
type = types.str;
default = let x = "${config.krebs.build.host.name}.r"; in
assert elem x config.krebs.build.host.nets.retiolum.aliases;
x;
};
relay_to_domains = mkOption {
# TODO hostname with wildcards
type = with types; listOf str;
default = [
"*.r"
];
};
2019-06-23 21:06:48 +02:00
rspamd = {
enable = mkEnableOption "krebs.exim-retiolum.rspamd" // {
default = false;
};
locals = {
logging = {
level = mkOption {
type = types.enum [
"error"
"warning"
"notice"
"info"
"debug"
"silent"
];
default = "notice";
};
};
options = {
local_networks = mkOption {
type = types.listOf types.cidr;
default = [
config.krebs.build.host.nets.retiolum.ip4.prefix
config.krebs.build.host.nets.retiolum.ip6.prefix
];
};
};
2019-06-23 21:06:48 +02:00
};
};
2015-08-13 11:46:09 +02:00
};
2019-06-23 21:06:48 +02:00
imports = [
{
config = lib.mkIf cfg.rspamd.enable {
services.rspamd.enable = true;
services.rspamd.locals =
mapAttrs'
(name: value: nameValuePair "${name}.inc" {
text = toMostlyJSON value;
})
cfg.rspamd.locals;
2019-06-23 21:06:48 +02:00
users.users.${config.krebs.exim.user.name}.extraGroups = [
config.services.rspamd.group
];
};
}
];
2019-06-22 12:43:32 +02:00
config = lib.mkIf cfg.enable {
krebs.exim = {
enable = true;
config =
# This configuration makes only sense for retiolum-enabled hosts.
# TODO modular configuration
assert config.krebs.tinc.retiolum.enable;
2019-06-22 12:55:16 +02:00
/* exim */ ''
keep_environment =
2016-02-21 21:51:11 +01:00
primary_hostname = ${cfg.primary_hostname}
domainlist local_domains = ${concatStringsSep ":" cfg.local_domains}
domainlist relay_to_domains = ${concatStringsSep ":" cfg.relay_to_domains}
2015-08-13 11:46:09 +02:00
2019-06-23 21:06:48 +02:00
${optionalString cfg.rspamd.enable /* exim */ ''
spamd_address = /run/rspamd/rspamd.sock variant=rspamd
''}
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
2015-08-13 11:46:09 +02:00
host_lookup = *
rfc1413_hosts = *
rfc1413_query_timeout = 5s
2015-08-13 11:46:09 +02:00
log_file_path = syslog
syslog_timestamp = false
syslog_duplication = false
2015-08-13 11:46:09 +02:00
2016-05-24 20:58:19 +02:00
tls_advertise_hosts =
begin acl
2015-08-13 11:46:09 +02:00
acl_check_rcpt:
deny
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
message = restricted characters in address
2015-08-13 11:46:09 +02:00
accept
domains = +local_domains : +relay_to_domains
deny
message = relay not permitted
2015-08-13 11:46:09 +02:00
acl_check_data:
2019-06-23 21:06:48 +02:00
${optionalString cfg.rspamd.enable /* exim */ ''
accept condition = ''${if eq{$interface_port}{587}}
warn remove_header = ${concatStringsSep " : " [
"x-spam"
"x-spam-report"
"x-spam-score"
]}
warn
spam = nobody:true
warn
condition = ''${if !eq{$spam_action}{no action}}
add_header = X-Spam: Yes
add_header = X-Spam-Report: $spam_report
add_header = X-Spam-Score: $spam_score
''}
accept
2015-08-13 11:46:09 +02:00
begin routers
2015-08-13 11:46:09 +02:00
local:
driver = accept
domains = +local_domains
check_local_user
# local_part_suffix = +*
# local_part_suffix_optional
transport = home_maildir
remote:
driver = manualroute
domains = +relay_to_domains
transport = remote_smtp
route_list = ^.* $0 byname
2015-08-13 11:46:09 +02:00
begin transports
2015-08-13 11:46:09 +02:00
remote_smtp:
driver = smtp
2015-08-13 11:46:09 +02:00
home_maildir:
driver = appendfile
maildir_format
directory = $home/Maildir
directory_mode = 0700
delivery_date_add
envelope_to_add
return_path_add
# group = mail
# mode = 0660
2015-08-13 11:46:09 +02:00
begin retry
2016-02-21 21:51:11 +01:00
${concatMapStringsSep "\n" (k: "${k} * F,42d,1m") cfg.relay_to_domains}
* * F,2h,15m; G,16h,1h,1.5; F,4d,6h
2015-08-13 11:46:09 +02:00
begin rewrite
2015-08-13 11:46:09 +02:00
begin authenticators
'';
};
2015-08-13 11:46:09 +02:00
};
2019-06-22 12:43:32 +02:00
}