Add option to enable rspamd web ui

This commit is contained in:
Sandro Jäckel 2024-10-01 23:56:47 +02:00
parent af7d3bf5da
commit 300459a662
No known key found for this signature in database
GPG Key ID: 3AF5A43A3EECC2E5
2 changed files with 46 additions and 11 deletions

View File

@ -93,18 +93,13 @@ With an nginx reverse-proxy
If you have a secured nginx reverse proxy set on the host, you can use it to expose the socket.
**Keep in mind the UI is unsecured by default, you need to setup an authentication scheme**, for
exemple with `basic auth <https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/>`_:
example with `basic auth <https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/>`_:
.. code:: nix
services.nginx.virtualHosts.rspamd = {
forceSSL = true;
enableACME = true;
basicAuthFile = "/basic/auth/hashes/file";
serverName = "rspamd.example.com";
locations = {
"/" = {
proxyPass = "http://unix:/run/rspamd/worker-controller.sock:/";
};
};
mailserver.rspamdWebUi = {
enable = true;
domain = "rspamd.example.com";
};
services.nginx.virtualHosts."${config.mailserver.rspamdWebUi.domain}".basicAuthFile = "/basic/auth/hashes/file";

View File

@ -24,6 +24,27 @@ let
rspamdSocket = "rspamd.service";
in
{
options.mailserver.rspamdWebUi = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
example = true;
description = ''
Whether to enable the rspamd web ui on the configured domain.
:::warning
Make sure to configure authentication for it!
:::
'';
};
domain = lib.mkOption {
type = lib.types.str;
example = "rspamd.example.org";
description = "The domain under which the rspamd web ui should be reachable.";
};
};
config = with cfg; lib.mkIf enable {
environment.systemPackages = lib.mkBefore [
(pkgs.runCommand "rspamc-wrapped" {
@ -34,9 +55,28 @@ in
'')
];
services.nginx = lib.mkIf cfg.rspamdWebUi.enable {
enable = true;
virtualHosts = {
"${cfg.rspamdWebUi.domain}" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://unix:/run/rspamd/worker-controller.sock:/";
};
};
};
services.rspamd = {
enable = true;
inherit debug;
overrides = lib.mkIf cfg.rspamdWebUi.enable {
"worker-controller.inc".text = ''
secure_ip = "0.0.0.0/0";
secure_ip = "::/0";
'';
};
locals = {
"milter_headers.conf" = { text = ''
extended_spam_headers = true;