From 805373bfc4a40fa20bd27d829170bec2efb7c552 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= <sandro.jaeckel@gmail.com>
Date: Tue, 1 Oct 2024 23:56:47 +0200
Subject: [PATCH 1/4] Add option to enable rspamd web ui

---
 docs/rspamd-tuning.rst | 17 ++++++-----------
 mail-server/rspamd.nix | 40 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 46 insertions(+), 11 deletions(-)

diff --git a/docs/rspamd-tuning.rst b/docs/rspamd-tuning.rst
index 3ba8133..545d2a5 100644
--- a/docs/rspamd-tuning.rst
+++ b/docs/rspamd-tuning.rst
@@ -93,18 +93,13 @@ With an nginx reverse-proxy
 
 If you have a secured nginx reverse proxy set on the host, you can use it to expose the socket.
 **Keep in mind the UI is unsecured by default, you need to setup an authentication scheme**, for
-exemple with `basic auth <https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/>`_:
+example with `basic auth <https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/>`_:
 
 .. code:: nix
 
-  services.nginx.virtualHosts.rspamd = {
-    forceSSL = true;
-    enableACME = true;
-    basicAuthFile = "/basic/auth/hashes/file";
-    serverName = "rspamd.example.com";
-    locations = {
-      "/" = {
-        proxyPass = "http://unix:/run/rspamd/worker-controller.sock:/";
-      };
-    };
+  mailserver.rspamdWebUI = {
+    enable = true;
+    domain = "rspamd.example.com";
   };
+
+  services.nginx.virtualHosts."${config.mailserver.rspamdWebUI.domain}".basicAuthFile = "/basic/auth/hashes/file";
diff --git a/mail-server/rspamd.nix b/mail-server/rspamd.nix
index fc6f4b9..01869d8 100644
--- a/mail-server/rspamd.nix
+++ b/mail-server/rspamd.nix
@@ -24,6 +24,27 @@ let
   rspamdSocket = "rspamd.service";
 in
 {
+  options.mailserver.rspamdWebUI = {
+    enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = ''
+        Whether to enable the rspamd web ui on the configured domain.
+
+        :::warning
+        Make sure to configure authentication for it!
+        :::
+      '';
+    };
+
+    domain = lib.mkOption {
+      type = lib.types.str;
+      example = "rspamd.example.org";
+      description = "The domain under which the rspamd web ui should be reachable.";
+    };
+  };
+
   config = with cfg; lib.mkIf enable {
     environment.systemPackages = lib.mkBefore [
       (pkgs.runCommand "rspamc-wrapped" {
@@ -34,9 +55,28 @@ in
       '')
     ];
 
+    services.nginx = lib.mkIf cfg.rspamdWebUI.enable {
+      enable = true;
+      virtualHosts = {
+        "${cfg.rspamdWebUI.domain}" = {
+          enableACME = true;
+          forceSSL = true;
+          locations."/".proxyPass = "http://unix:/run/rspamd/worker-controller.sock:/";
+        };
+      };
+    };
+
     services.rspamd = {
       enable = true;
       inherit debug;
+
+      overrides = lib.mkIf cfg.rspamdWebUI.enable {
+        "worker-controller.inc".text = ''
+          secure_ip = "0.0.0.0/0";
+          secure_ip = "::/0";
+        '';
+      };
+
       locals = {
           "milter_headers.conf" = { text = ''
               extended_spam_headers = true;

From 795aa39a02639ab426be1fd96b3ee0c2e83157d6 Mon Sep 17 00:00:00 2001
From: Sandro <sandro.jaeckel@gmail.com>
Date: Wed, 2 Oct 2024 14:12:14 +0000
Subject: [PATCH 2/4] Drop enableACME

---
 mail-server/rspamd.nix | 1 -
 1 file changed, 1 deletion(-)

diff --git a/mail-server/rspamd.nix b/mail-server/rspamd.nix
index 01869d8..0b856ea 100644
--- a/mail-server/rspamd.nix
+++ b/mail-server/rspamd.nix
@@ -59,7 +59,6 @@ in
       enable = true;
       virtualHosts = {
         "${cfg.rspamdWebUI.domain}" = {
-          enableACME = true;
           forceSSL = true;
           locations."/".proxyPass = "http://unix:/run/rspamd/worker-controller.sock:/";
         };

From 196b9b61e5eae8202709a56e635d825a9f095071 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= <sandro.jaeckel@gmail.com>
Date: Sun, 13 Apr 2025 20:39:57 +0200
Subject: [PATCH 3/4] Add rspamd web ui test

---
 mail-server/rspamd.nix |  1 -
 tests/internal.nix     | 10 ++++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/mail-server/rspamd.nix b/mail-server/rspamd.nix
index 0b856ea..6a8cb15 100644
--- a/mail-server/rspamd.nix
+++ b/mail-server/rspamd.nix
@@ -59,7 +59,6 @@ in
       enable = true;
       virtualHosts = {
         "${cfg.rspamdWebUI.domain}" = {
-          forceSSL = true;
           locations."/".proxyPass = "http://unix:/run/rspamd/worker-controller.sock:/";
         };
       };
diff --git a/tests/internal.nix b/tests/internal.nix
index 5835ce6..b64173f 100644
--- a/tests/internal.nix
+++ b/tests/internal.nix
@@ -81,6 +81,11 @@ pkgs.nixosTest {
         vmailUID = 5000;
 
         enableImap = false;
+
+        rspamdWebUI = {
+          enable = true;
+          domain = "localhost";
+        };
       };
     };
   };
@@ -185,6 +190,11 @@ pkgs.nixosTest {
             "set +o pipefail; ${pkgs.curl}/bin/curl --unix-socket /run/rspamd/worker-controller.sock http://localhost/ | grep -q '<body>'"
         )
 
+    with subtest("nginx serves web ui"):
+        machine.succeed(
+            "set +o pipefail; ${pkgs.curl}/bin/curl http://localhost/ | grep -q '<body>'"
+        )
+
     with subtest("imap port 143 is closed and imaps is serving SSL"):
         machine.wait_for_closed_port(143)
         machine.wait_for_open_port(993)

From 0f1155b064d0a8201a66fdbd6bc7278a91bbf3f9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= <sandro.jaeckel@gmail.com>
Date: Mon, 14 Apr 2025 00:52:23 +0200
Subject: [PATCH 4/4] rspamd: add allowedIPs option

---
 docs/rspamd-tuning.rst |  1 +
 mail-server/rspamd.nix | 19 ++++++++++++-------
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/docs/rspamd-tuning.rst b/docs/rspamd-tuning.rst
index 545d2a5..4feb99d 100644
--- a/docs/rspamd-tuning.rst
+++ b/docs/rspamd-tuning.rst
@@ -100,6 +100,7 @@ example with `basic auth <https://docs.nginx.com/nginx/admin-guide/security-cont
   mailserver.rspamdWebUI = {
     enable = true;
     domain = "rspamd.example.com";
+    allowedIPs = [ "0.0.0.0" "::/0" ];
   };
 
   services.nginx.virtualHosts."${config.mailserver.rspamdWebUI.domain}".basicAuthFile = "/basic/auth/hashes/file";
diff --git a/mail-server/rspamd.nix b/mail-server/rspamd.nix
index 6a8cb15..eca2952 100644
--- a/mail-server/rspamd.nix
+++ b/mail-server/rspamd.nix
@@ -31,10 +31,18 @@ in
       example = true;
       description = ''
         Whether to enable the rspamd web ui on the configured domain.
+      '';
+    };
 
-        :::warning
-        Make sure to configure authentication for it!
-        :::
+    allowedIPs = lib.mkOption {
+      type = with lib.types; listOf str;
+      default = [ ];
+      example = [ "0.0.0.0" "::/0" ];
+      description = ''
+        List of IPs from which the web ui will be reachable *without* authentication.
+
+        When using a reverse proxy like nginx and another authentication method like basic auth or oatuh2-proxy is implemented,
+        than this can be set to ``[ "0.0.0.0" "::/0" ]`` to solely rely on the other authentication method.
       '';
     };
 
@@ -69,10 +77,7 @@ in
       inherit debug;
 
       overrides = lib.mkIf cfg.rspamdWebUI.enable {
-        "worker-controller.inc".text = ''
-          secure_ip = "0.0.0.0/0";
-          secure_ip = "::/0";
-        '';
+        "worker-controller.inc".text = lib.concatMapStringsSep "\n" (ip: ''secure_ip = "${ip}";'') cfg.rspamdWebUI.allowedIPs;
       };
 
       locals = {