rspamd: add allowedIPs option

This commit is contained in:
Sandro Jäckel 2025-04-14 00:52:23 +02:00
parent 196b9b61e5
commit 0f1155b064
No known key found for this signature in database
GPG Key ID: 3AF5A43A3EECC2E5
2 changed files with 13 additions and 7 deletions

View File

@ -100,6 +100,7 @@ example with `basic auth <https://docs.nginx.com/nginx/admin-guide/security-cont
mailserver.rspamdWebUI = {
enable = true;
domain = "rspamd.example.com";
allowedIPs = [ "0.0.0.0" "::/0" ];
};
services.nginx.virtualHosts."${config.mailserver.rspamdWebUI.domain}".basicAuthFile = "/basic/auth/hashes/file";

View File

@ -31,10 +31,18 @@ in
example = true;
description = ''
Whether to enable the rspamd web ui on the configured domain.
'';
};
:::warning
Make sure to configure authentication for it!
:::
allowedIPs = lib.mkOption {
type = with lib.types; listOf str;
default = [ ];
example = [ "0.0.0.0" "::/0" ];
description = ''
List of IPs from which the web ui will be reachable *without* authentication.
When using a reverse proxy like nginx and another authentication method like basic auth or oatuh2-proxy is implemented,
than this can be set to ``[ "0.0.0.0" "::/0" ]`` to solely rely on the other authentication method.
'';
};
@ -69,10 +77,7 @@ in
inherit debug;
overrides = lib.mkIf cfg.rspamdWebUI.enable {
"worker-controller.inc".text = ''
secure_ip = "0.0.0.0/0";
secure_ip = "::/0";
'';
"worker-controller.inc".text = lib.concatMapStringsSep "\n" (ip: ''secure_ip = "${ip}";'') cfg.rspamdWebUI.allowedIPs;
};
locals = {