ForkMaster/nixos-mailserver
1
0
Fork 0
mirror of https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git synced 2025-03-31 07:59:52 +05:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'rpsamd-web-ui' into 'master'

Browse Source 
Add option to enable rspamd web ui

See merge request simple-nixos-mailserver/nixos-mailserver!341
This commit is contained in:
Sandro 2025-03-26 05:15:33 +01:00
commit 73d802598c
2 changed files with 45 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
docs/rspamd-tuning.rst
View File

@ -93,18 +93,13 @@ With an nginx reverse-proxy
If you have a secured nginx reverse proxy set on the host, you can use it to expose the socket.
**Keep in mind the UI is unsecured by default, you need to setup an authentication scheme**, for
exemple with `basic auth <https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/>`_:
example with `basic auth <https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/>`_:
.. code:: nix
services.nginx.virtualHosts.rspamd = {
forceSSL = true;
enableACME = true;
basicAuthFile = "/basic/auth/hashes/file";
serverName = "rspamd.example.com";
locations = {
"/" = {
proxyPass = "http://unix:/run/rspamd/worker-controller.sock:/";
};
};
mailserver.rspamdWebUi = {
enable = true;
domain = "rspamd.example.com";
};
services.nginx.virtualHosts."${config.mailserver.rspamdWebUi.domain}".basicAuthFile = "/basic/auth/hashes/file";

39
mail-server/rspamd.nix
View File

@ -24,6 +24,27 @@ let
rspamdSocket = "rspamd.service";
in
{
options.mailserver.rspamdWebUi = {
enable = lib.mkOption {
type = lib.types.bool;
default = false;
example = true;
description = ''
Whether to enable the rspamd web ui on the configured domain.
:::warning
Make sure to configure authentication for it!
:::
'';
};
domain = lib.mkOption {
type = lib.types.str;
example = "rspamd.example.org";
description = "The domain under which the rspamd web ui should be reachable.";
};
};
config = with cfg; lib.mkIf enable {
environment.systemPackages = lib.mkBefore [
(pkgs.runCommand "rspamc-wrapped" {
@ -34,9 +55,27 @@ in
'')
];
services.nginx = lib.mkIf cfg.rspamdWebUi.enable {
enable = true;
virtualHosts = {
"${cfg.rspamdWebUi.domain}" = {
forceSSL = true;
locations."/".proxyPass = "http://unix:/run/rspamd/worker-controller.sock:/";
};
};
};
services.rspamd = {
enable = true;
inherit debug;
overrides = lib.mkIf cfg.rspamdWebUi.enable {
"worker-controller.inc".text = ''
secure_ip = "0.0.0.0/0";
secure_ip = "::/0";
'';
};
locals = {
"milter_headers.conf" = { text = ''
extended_spam_headers = true;