rspamd: add allowedIPs option

docs/rspamd-tuning.rst

@@ -100,6 +100,7 @@ example with `basic auth <https://docs.nginx.com/nginx/admin-guide/security-cont
   mailserver.rspamdWebUI = {
     enable = true;
     domain = "rspamd.example.com";
+    allowedIPs = [ "0.0.0.0" "::/0" ];
   };
 
   services.nginx.virtualHosts."${config.mailserver.rspamdWebUI.domain}".basicAuthFile = "/basic/auth/hashes/file";

mail-server/rspamd.nix

@@ -31,10 +31,18 @@ in
       example = true;
       description = ''
         Whether to enable the rspamd web ui on the configured domain.
+      '';
+    };
 
-        :::warning
-        Make sure to configure authentication for it!
-        :::
+    allowedIPs = lib.mkOption {
+      type = with lib.types; listOf str;
+      default = [ ];
+      example = [ "0.0.0.0" "::/0" ];
+      description = ''
+        List of IPs from which the web ui will be reachable *without* authentication.
+
+        When using a reverse proxy like nginx and another authentication method like basic auth or oatuh2-proxy is implemented,
+        than this can be set to ``[ "0.0.0.0" "::/0" ]`` to solely rely on the other authentication method.
       '';
     };
 
@@ -69,10 +77,7 @@ in
       inherit debug;
 
       overrides = lib.mkIf cfg.rspamdWebUI.enable {
-        "worker-controller.inc".text = ''
-          secure_ip = "0.0.0.0/0";
-          secure_ip = "::/0";
-        '';
+        "worker-controller.inc".text = lib.concatMapStringsSep "\n" (ip: ''secure_ip = "${ip}";'') cfg.rspamdWebUI.allowedIPs;
       };
 
       locals = {