ForkMaster/nixos-mailserver
1
0
Fork 0
mirror of https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git synced 2025-04-02 05:44:33 +05:00
Code Issues Packages Projects Releases Wiki Activity

Add option to enable rspamd web ui

Browse Source
This commit is contained in:
Sandro Jäckel 2024-10-01 23:56:47 +02:00
parent af7d3bf5da
commit 300459a662
No known key found for this signature in database
GPG Key ID: 3AF5A43A3EECC2E5
2 changed files with 46 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
docs/rspamd-tuning.rst
View File

@ -93,18 +93,13 @@ With an nginx reverse-proxy
If you have a secured nginx reverse proxy set on the host, you can use it to expose the socket. If you have a secured nginx reverse proxy set on the host, you can use it to expose the socket.
**Keep in mind the UI is unsecured by default, you need to setup an authentication scheme**, for **Keep in mind the UI is unsecured by default, you need to setup an authentication scheme**, for
exemple with `basic auth <https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/>`_: example with `basic auth <https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/>`_:
.. code:: nix .. code:: nix
services.nginx.virtualHosts.rspamd = { mailserver.rspamdWebUi = {
forceSSL = true; enable = true;
enableACME = true; domain = "rspamd.example.com";
basicAuthFile = "/basic/auth/hashes/file";
serverName = "rspamd.example.com";
locations = {
"/" = {
proxyPass = "http://unix:/run/rspamd/worker-controller.sock:/";
};
};
}; };
services.nginx.virtualHosts."${config.mailserver.rspamdWebUi.domain}".basicAuthFile = "/basic/auth/hashes/file";

40
mail-server/rspamd.nix
View File

@ -24,6 +24,27 @@ let
rspamdSocket = "rspamd.service"; rspamdSocket = "rspamd.service";
in in
{ {
options.mailserver.rspamdWebUi = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
example = true;
description = ''
Whether to enable the rspamd web ui on the configured domain.
:::warning
Make sure to configure authentication for it!
:::
'';
};
domain = lib.mkOption {
type = lib.types.str;
example = "rspamd.example.org";
description = "The domain under which the rspamd web ui should be reachable.";
};
};
config = with cfg; lib.mkIf enable { config = with cfg; lib.mkIf enable {
environment.systemPackages = lib.mkBefore [ environment.systemPackages = lib.mkBefore [
(pkgs.runCommand "rspamc-wrapped" { (pkgs.runCommand "rspamc-wrapped" {
@ -34,9 +55,28 @@ in
'') '')
]; ];
services.nginx = lib.mkIf cfg.rspamdWebUi.enable {
enable = true;
virtualHosts = {
"${cfg.rspamdWebUi.domain}" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://unix:/run/rspamd/worker-controller.sock:/";
};
};
};
services.rspamd = { services.rspamd = {
enable = true; enable = true;
inherit debug; inherit debug;
overrides = lib.mkIf cfg.rspamdWebUi.enable {
"worker-controller.inc".text = ''
secure_ip = "0.0.0.0/0";
secure_ip = "::/0";
'';
};
locals = { locals = {
"milter_headers.conf" = { text = '' "milter_headers.conf" = { text = ''
extended_spam_headers = true; extended_spam_headers = true;