Add option to enable rspamd web ui

2025-04-24 22:12:04 +05:00 · 2024-10-01 23:56:47 +02:00 · 2024-10-01 23:56:47 +02:00 · 300459a662
commit 300459a662
parent af7d3bf5da
2 changed files with 46 additions and 11 deletions
--- a/docs/rspamd-tuning.rst
+++ b/docs/rspamd-tuning.rst
@ -93,18 +93,13 @@ With an nginx reverse-proxy

 If you have a secured nginx reverse proxy set on the host, you can use it to expose the socket.
 **Keep in mind the UI is unsecured by default, you need to setup an authentication scheme**, for
-exemple with `basic auth <https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/>`_:
+example with `basic auth <https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/>`_:

 .. code:: nix

-  services.nginx.virtualHosts.rspamd = {
-    forceSSL = true;
-    enableACME = true;
-    basicAuthFile = "/basic/auth/hashes/file";
-    serverName = "rspamd.example.com";
-    locations = {
-      "/" = {
-        proxyPass = "http://unix:/run/rspamd/worker-controller.sock:/";
-      };
-    };
+  mailserver.rspamdWebUi = {
+    enable = true;
+    domain = "rspamd.example.com";
  };
+
+  services.nginx.virtualHosts."${config.mailserver.rspamdWebUi.domain}".basicAuthFile = "/basic/auth/hashes/file";
--- a/mail-server/rspamd.nix
+++ b/mail-server/rspamd.nix
@ -24,6 +24,27 @@ let
  rspamdSocket = "rspamd.service";
 in
 {
+  options.mailserver.rspamdWebUi = {
+    enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = ''
+        Whether to enable the rspamd web ui on the configured domain.
+
+        :::warning
+        Make sure to configure authentication for it!
+        :::
+      '';
+    };
+
+    domain = lib.mkOption {
+      type = lib.types.str;
+      example = "rspamd.example.org";
+      description = "The domain under which the rspamd web ui should be reachable.";
+    };
+  };
+
  config = with cfg; lib.mkIf enable {
    environment.systemPackages = lib.mkBefore [
      (pkgs.runCommand "rspamc-wrapped" {
@ -34,9 +55,28 @@ in
      '')
    ];

+    services.nginx = lib.mkIf cfg.rspamdWebUi.enable {
+      enable = true;
+      virtualHosts = {
+        "${cfg.rspamdWebUi.domain}" = {
+          enableACME = true;
+          forceSSL = true;
+          locations."/".proxyPass = "http://unix:/run/rspamd/worker-controller.sock:/";
+        };
+      };
+    };
+
    services.rspamd = {
      enable = true;
      inherit debug;
+
+      overrides = lib.mkIf cfg.rspamdWebUi.enable {
+        "worker-controller.inc".text = ''
+          secure_ip = "0.0.0.0/0";
+          secure_ip = "::/0";
+        '';
+      };
+
      locals = {
          "milter_headers.conf" = { text = ''
              extended_spam_headers = true;