movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-13 05:05:29 +03:00
Code Issues Projects Releases Packages Wiki Activity
nixpkgs/nixos/modules/services/mail/rspamd.nix

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

548 lines
16 KiB
Nix
Raw Normal View History

nixos/rspamd: options for worker configuration and socket activation
2018-02-03 19:04:31 +01:00
{
config,
options,
pkgs,
lib,
...
}:
nixos: Add module for rspamd
2016-01-12 11:06:46 +02:00
with lib;
let
cfg = config.services.rspamd;
treewide: make option examples constant escape interpolations in examples, or replace them where they are not useful.
2021-12-05 22:01:03 +01:00
opt = options.services.rspamd;
nixos/rspamd: Add options for postfix integration The `rmilter` module has options for configuring `postfix` to use it but since that module is deprecated because rspamd now has a builtin worker that supports the milter protocol this commit adds similar `postfix` integration options directly to the `rspamd` module.
2018-11-06 00:40:52 +01:00
postfixCfg = config.services.postfix;
nixos: Add module for rspamd
2016-01-12 11:06:46 +02:00
nixos/rspamd: options for worker configuration and socket activation
2018-02-03 19:04:31 +01:00
bindSocketOpts =
{ options, config, ... }:
{
options = {
socket = mkOption {
type = types.str;
example = "localhost:11333";
nixos/*: md-convert hidden plaintext options most of these are hidden because they're either part of a submodule that doesn't have its type rendered (eg because the submodule type is used in an either type) or because they are explicitly hidden. some of them are merely hidden from nix-doc-munge by how their option is put together.
2022-08-29 19:33:50 +02:00
description = ''
nixos/rspamd: options for worker configuration and socket activation
2018-02-03 19:04:31 +01:00
Socket for this worker to listen on in a format acceptable by rspamd.
'';
};
mode = mkOption {
type = types.str;
default = "0644";
nixos/*: md-convert hidden plaintext options most of these are hidden because they're either part of a submodule that doesn't have its type rendered (eg because the submodule type is used in an either type) or because they are explicitly hidden. some of them are merely hidden from nix-doc-munge by how their option is put together.
2022-08-29 19:33:50 +02:00
description = "Mode to set on unix socket";
nixos/rspamd: options for worker configuration and socket activation
2018-02-03 19:04:31 +01:00
};
owner = mkOption {
type = types.str;
default = "${cfg.user}";
nixos/*: md-convert hidden plaintext options most of these are hidden because they're either part of a submodule that doesn't have its type rendered (eg because the submodule type is used in an either type) or because they are explicitly hidden. some of them are merely hidden from nix-doc-munge by how their option is put together.
2022-08-29 19:33:50 +02:00
description = "Owner to set on unix socket";
nixos/rspamd: options for worker configuration and socket activation
2018-02-03 19:04:31 +01:00
};
group = mkOption {
type = types.str;
default = "${cfg.group}";
nixos/*: md-convert hidden plaintext options most of these are hidden because they're either part of a submodule that doesn't have its type rendered (eg because the submodule type is used in an either type) or because they are explicitly hidden. some of them are merely hidden from nix-doc-munge by how their option is put together.
2022-08-29 19:33:50 +02:00
description = "Group to set on unix socket";
nixos/rspamd: options for worker configuration and socket activation
2018-02-03 19:04:31 +01:00
};
rawEntry = mkOption {
type = types.str;
internal = true;
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:26:33 +01:00
};
nixos/rspamd: options for worker configuration and socket activation
2018-02-03 19:04:31 +01:00
};
config.rawEntry =
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:26:33 +01:00
let
nixos/rspamd: options for worker configuration and socket activation
2018-02-03 19:04:31 +01:00
maybeOption = option: optionalString options.${option}.isDefined " ${option}=${config.${option}}";
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:26:33 +01:00
in
nixos/rspamd: options for worker configuration and socket activation
2018-02-03 19:04:31 +01:00
if (!(hasPrefix "/" config.socket)) then
"${config.socket}"
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:26:33 +01:00
else
nixos/rspamd: options for worker configuration and socket activation
2018-02-03 19:04:31 +01:00
"${config.socket}${maybeOption "mode"}${maybeOption "owner"}${maybeOption "group"}";
};
rspamd: configurable bindSocket and bindUISocket
2016-03-25 16:12:59 +02:00
nixos/rspamd: Allow worker type to be proxy again When reworking the rspamd workers I disallowed `proxy` as a type and instead used `rspamd_proxy` which is the correct name for that worker type. That change breaks peoples existing config and so I have made this commit which allows `proxy` as a worker type again but makes it behave as `rspamd_proxy` and prints a warning if you use it.
2018-11-25 06:10:30 +01:00
traceWarning = w: x: builtins.trace "warning: ${w}" x;
workerOpts =
{ name, options, ... }:
{
nixos/rspamd: options for worker configuration and socket activation
2018-02-03 19:04:31 +01:00
options = {
enable = mkOption {
type = types.nullOr types.bool;
default = null;
description = "Whether to run the rspamd worker.";
};
name = mkOption {
type = types.nullOr types.str;
default = name;
description = "Name of the worker";
};
type = mkOption {
type = types.nullOr (
types.enum [
Specify correct type for fuzzy worker
2019-11-18 13:56:56 +01:00
"normal"
"controller"
"fuzzy"
"rspamd_proxy"
"lua"
"proxy"
nixos/rspamd: options for worker configuration and socket activation
2018-02-03 19:04:31 +01:00
]
);
nixos/rspamd: Allow worker type to be proxy again When reworking the rspamd workers I disallowed `proxy` as a type and instead used `rspamd_proxy` which is the correct name for that worker type. That change breaks peoples existing config and so I have made this commit which allows `proxy` as a worker type again but makes it behave as `rspamd_proxy` and prints a warning if you use it.
2018-11-25 06:10:30 +01:00
description = ''
The type of this worker. The type `proxy` is
deprecated and only kept for backwards compatibility and should be
replaced with `rspamd_proxy`.
'';
apply =
let
nixos/rspamd: fix fancy unicode quote
2019-09-16 23:40:32 +00:00
from = "services.rspamd.workers.\"${name}\".type";
nixos/rspamd: Allow worker type to be proxy again When reworking the rspamd workers I disallowed `proxy` as a type and instead used `rspamd_proxy` which is the correct name for that worker type. That change breaks peoples existing config and so I have made this commit which allows `proxy` as a worker type again but makes it behave as `rspamd_proxy` and prints a warning if you use it.
2018-11-25 06:10:30 +01:00
files = options.type.files;
warning = "The option `${from}` defined in ${showFiles files} has enum value `proxy` which has been renamed to `rspamd_proxy`";
in
x: if x == "proxy" then traceWarning warning "rspamd_proxy" else x;
nixos/rspamd: options for worker configuration and socket activation
2018-02-03 19:04:31 +01:00
};
bindSockets = mkOption {
type = types.listOf (types.either types.str (types.submodule bindSocketOpts));
default = [ ];
description = ''
List of sockets to listen, in format acceptable by rspamd
'';
example = [
{
socket = "/run/rspamd.sock";
mode = "0666";
owner = "rspamd";
}
"*:11333"
];
apply =
value:
map (
each:
if (isString each) then
if (isUnixSocket each) then
{
socket = each;
owner = cfg.user;
group = cfg.group;
mode = "0644";
rawEntry = "${each}";
}
else
{
socket = each;
rawEntry = "${each}";
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:26:33 +01:00
}
nixos/rspamd: options for worker configuration and socket activation
2018-02-03 19:04:31 +01:00
else
each
) value;
};
count = mkOption {
type = types.nullOr types.int;
default = null;
description = ''
Number of worker instances to run
'';
};
includes = mkOption {
type = types.listOf types.str;
default = [ ];
description = ''
List of files to include in configuration
'';
};
extraConfig = mkOption {
type = types.lines;
default = "";
description = "Additional entries to put verbatim into worker section of rspamd config file.";
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:26:33 +01:00
};
nixos/rspamd: options for worker configuration and socket activation
2018-02-03 19:04:31 +01:00
};
nixos/rspamd: Add defaults for rspamd_proxy worker
2018-11-06 00:32:14 +01:00
config =
mkIf (name == "normal" || name == "controller" || name == "fuzzy" || name == "rspamd_proxy")
{
nixos/rspamd: options for worker configuration and socket activation
2018-02-03 19:04:31 +01:00
type = mkDefault name;
nixos/rspamd: Add defaults for rspamd_proxy worker
2018-11-06 00:32:14 +01:00
includes = mkDefault [ "$CONFDIR/worker-${if name == "rspamd_proxy" then "proxy" else name}.inc" ];
bindSockets =
let
unixSocket = name: {
mode = "0660";
socket = "/run/rspamd/${name}.sock";
owner = cfg.user;
group = cfg.group;
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:26:33 +01:00
};
in
nixos/rspamd: Add support for included files By default rspamd will look for multiple files in /etc/rspamd/local.d and /etc/rspamd/override.d to be included in subsections of the merged final config for rspamd. Most of the config snippets in the official rspamd documentation are made to these files and so it makes sense for NixOS to support them and this is what this commit does. As part of rspamd 1.8.1 support was added for having custom Lua rules stored in $LOCAL_CONFDIR/rspamd.local.lua which means that it is now possible for NixOS to support such rules and so this commit also adds support for this to the rspamd module.
2018-11-01 23:55:44 +01:00
mkDefault (
nixos/rspamd: Add defaults for rspamd_proxy worker
2018-11-06 00:32:14 +01:00
if name == "normal" then
[ (unixSocket "rspamd") ]
else if name == "controller" then
[ "localhost:11334" ]
nixos/rspamd: Put extraConfig in included files The lines stored in `extraConfig` and `worker.<name?>.extraConfig` should take precedent over values from included files but in order to do this in rspamd UCL they need to be stored in a file that then gets included with a high priority. This commit uses the overrides option to store the value of the two `extraConfig` options in `extra-config.inc` and `worker-<name?>.inc` respectively.
2018-11-06 00:34:23 +01:00
else if name == "rspamd_proxy" then
nixos/rspamd: Add defaults for rspamd_proxy worker
2018-11-06 00:32:14 +01:00
[ (unixSocket "proxy") ]
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:26:33 +01:00
else
[ ]
);
nixos/rspamd: Add defaults for rspamd_proxy worker
2018-11-06 00:32:14 +01:00
};
nixos/rspamd: options for worker configuration and socket activation
2018-02-03 19:04:31 +01:00
};
isUnixSocket = socket: hasPrefix "/" (if (isString socket) then socket else socket.socket);
nixos/rspamd: Remove non-working socket activation The socket activation I added to the rspamd module doesn't actually work and can't be made to work without changes to rspamd. See: #47421 See: rspamd/rspamd#2035
2018-09-28 04:00:24 +02:00
mkBindSockets =
enabled: socks:
concatStringsSep "\n " (flatten (map (each: "bind_socket = \"${each.rawEntry}\";") socks));
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:26:33 +01:00
nixos/rspamd: options for worker configuration and socket activation
2018-02-03 19:04:31 +01:00
rspamdConfFile = pkgs.writeText "rspamd.conf" ''
rspamd: configurable bindSocket and bindUISocket
2016-03-25 16:12:59 +02:00
.include "$CONFDIR/common.conf"
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:26:33 +01:00
rspamd: configurable bindSocket and bindUISocket
2016-03-25 16:12:59 +02:00
options {
pidfile = "$RUNDIR/rspamd.pid";
.include "$CONFDIR/options.inc"
nixos/rspamd: Add support for included files By default rspamd will look for multiple files in /etc/rspamd/local.d and /etc/rspamd/override.d to be included in subsections of the merged final config for rspamd. Most of the config snippets in the official rspamd documentation are made to these files and so it makes sense for NixOS to support them and this is what this commit does. As part of rspamd 1.8.1 support was added for having custom Lua rules stored in $LOCAL_CONFDIR/rspamd.local.lua which means that it is now possible for NixOS to support such rules and so this commit also adds support for this to the rspamd module.
2018-11-01 23:55:44 +01:00
.include(try=true; priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/options.inc"
.include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/options.inc"
rspamd: configurable bindSocket and bindUISocket
2016-03-25 16:12:59 +02:00
}
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:26:33 +01:00
rspamd: configurable bindSocket and bindUISocket
2016-03-25 16:12:59 +02:00
logging {
rspamd service: fix runtime directory, log to syslog Fixes #17144.
2016-07-28 06:03:38 +02:00
type = "syslog";
rspamd: configurable bindSocket and bindUISocket
2016-03-25 16:12:59 +02:00
.include "$CONFDIR/logging.inc"
nixos/rspamd: Add support for included files By default rspamd will look for multiple files in /etc/rspamd/local.d and /etc/rspamd/override.d to be included in subsections of the merged final config for rspamd. Most of the config snippets in the official rspamd documentation are made to these files and so it makes sense for NixOS to support them and this is what this commit does. As part of rspamd 1.8.1 support was added for having custom Lua rules stored in $LOCAL_CONFDIR/rspamd.local.lua which means that it is now possible for NixOS to support such rules and so this commit also adds support for this to the rspamd module.
2018-11-01 23:55:44 +01:00
.include(try=true; priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/logging.inc"
.include(try=true; priority=10) "$LOCAL_CONFDIR/override.d/logging.inc"
rspamd: configurable bindSocket and bindUISocket
2016-03-25 16:12:59 +02:00
}
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:26:33 +01:00
nixos/rspamd: Put extraConfig in included files The lines stored in `extraConfig` and `worker.<name?>.extraConfig` should take precedent over values from included files but in order to do this in rspamd UCL they need to be stored in a file that then gets included with a high priority. This commit uses the overrides option to store the value of the two `extraConfig` options in `extra-config.inc` and `worker-<name?>.inc` respectively.
2018-11-06 00:34:23 +01:00
${concatStringsSep "\n" (
mapAttrsToList (
name: value:
let
includeName = if name == "rspamd_proxy" then "proxy" else name;
treewide: De-inline uses of lib.boolToString This commit should not change eval results
2020-10-14 01:46:17 +02:00
tryOverride = boolToString (value.extraConfig == "");
nixos/rspamd: Put extraConfig in included files The lines stored in `extraConfig` and `worker.<name?>.extraConfig` should take precedent over values from included files but in order to do this in rspamd UCL they need to be stored in a file that then gets included with a high priority. This commit uses the overrides option to store the value of the two `extraConfig` options in `extra-config.inc` and `worker-<name?>.inc` respectively.
2018-11-06 00:34:23 +01:00
in
''
nixos/rspamd: Support multiple workers When the workers option for rspamd was originally implemented it was based on a flawed understanding of how workers are configured in rspamd. This meant that while rspamd supports configuring multiple workers of the same type, so that different controller workers could have different passwords, the NixOS module did not support this because it would write an invalid configuration file if you tried. Specifically a configuration like the one below: ``` workers.controller = {}; workers.controller2 = { type = "controller"; }; ``` Would result in a rspamd configuration of: ``` worker { type = "controller"; count = 1; .include "$CONFDIR/worker-controller.inc" } worker "controller2" { type = "controller"; count = 1; } ``` While to get multiple controller workers it should instead be: ``` worker "controller" { type = "controller"; count = 1; .include "$CONFDIR/worker-controller.inc" } worker "controller" { type = "controller"; count = 1; } ```
2018-11-06 00:26:55 +01:00
worker "${value.type}" {
nixos/rspamd: options for worker configuration and socket activation
2018-02-03 19:04:31 +01:00
type = "${value.type}";
${optionalString (value.enable != null)
"enabled = ${if value.enable != false then "yes" else "no"};"
}
${mkBindSockets value.enable value.bindSockets}
${optionalString (value.count != null) "count = ${toString value.count};"}
${concatStringsSep "\n " (map (each: ".include \"${each}\"") value.includes)}
nixos/rspamd: Put extraConfig in included files The lines stored in `extraConfig` and `worker.<name?>.extraConfig` should take precedent over values from included files but in order to do this in rspamd UCL they need to be stored in a file that then gets included with a high priority. This commit uses the overrides option to store the value of the two `extraConfig` options in `extra-config.inc` and `worker-<name?>.inc` respectively.
2018-11-06 00:34:23 +01:00
.include(try=true; priority=1,duplicate=merge) "$LOCAL_CONFDIR/local.d/worker-${includeName}.inc"
.include(try=${tryOverride}; priority=10) "$LOCAL_CONFDIR/override.d/worker-${includeName}.inc"
nixos/rspamd: options for worker configuration and socket activation
2018-02-03 19:04:31 +01:00
}
''
) cfg.workers
)}
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:26:33 +01:00
nixos/rspamd: Put extraConfig in included files The lines stored in `extraConfig` and `worker.<name?>.extraConfig` should take precedent over values from included files but in order to do this in rspamd UCL they need to be stored in a file that then gets included with a high priority. This commit uses the overrides option to store the value of the two `extraConfig` options in `extra-config.inc` and `worker-<name?>.inc` respectively.
2018-11-06 00:34:23 +01:00
${optionalString (cfg.extraConfig != "") ''
.include(priority=10) "$LOCAL_CONFDIR/override.d/extra-config.inc"
''}
rspamd: configurable bindSocket and bindUISocket
2016-03-25 16:12:59 +02:00
'';
nixos/rspamd: Fix enable for locals and overrides When implementing #49620 I included an enable option for both the locals and overrides options but the code writing the files didn't actually look at enable and so would write the file regardless of its value. I also set the type to loaOf which should have been attrsOf since the code was not written to handle the options being lists. This fixes both of those issues.
2018-11-05 17:50:34 +01:00
filterFiles = files: filterAttrs (n: v: v.enable) files;
nixos/rspamd: Add support for included files By default rspamd will look for multiple files in /etc/rspamd/local.d and /etc/rspamd/override.d to be included in subsections of the merged final config for rspamd. Most of the config snippets in the official rspamd documentation are made to these files and so it makes sense for NixOS to support them and this is what this commit does. As part of rspamd 1.8.1 support was added for having custom Lua rules stored in $LOCAL_CONFDIR/rspamd.local.lua which means that it is now possible for NixOS to support such rules and so this commit also adds support for this to the rspamd module.
2018-11-01 23:55:44 +01:00
rspamdDir = pkgs.linkFarm "etc-rspamd-dir" (
nixos/rspamd: Fix enable for locals and overrides When implementing #49620 I included an enable option for both the locals and overrides options but the code writing the files didn't actually look at enable and so would write the file regardless of its value. I also set the type to loaOf which should have been attrsOf since the code was not written to handle the options being lists. This fixes both of those issues.
2018-11-05 17:50:34 +01:00
(mapAttrsToList (name: file: {
name = "local.d/${name}";
path = file.source;
}) (filterFiles cfg.locals))
++ (mapAttrsToList (name: file: {
name = "override.d/${name}";
path = file.source;
}) (filterFiles cfg.overrides))
nixos/rspamd: Add support for included files By default rspamd will look for multiple files in /etc/rspamd/local.d and /etc/rspamd/override.d to be included in subsections of the merged final config for rspamd. Most of the config snippets in the official rspamd documentation are made to these files and so it makes sense for NixOS to support them and this is what this commit does. As part of rspamd 1.8.1 support was added for having custom Lua rules stored in $LOCAL_CONFDIR/rspamd.local.lua which means that it is now possible for NixOS to support such rules and so this commit also adds support for this to the rspamd module.
2018-11-01 23:55:44 +01:00
++ (optional (cfg.localLuaRules != null) {
name = "rspamd.local.lua";
path = cfg.localLuaRules;
})
++ [
{
name = "rspamd.conf";
path = rspamdConfFile;
}
]
);
configFileModule =
prefix:
{ name, config, ... }:
{
options = {
enable = mkOption {
type = types.bool;
default = true;
description = ''
Whether this file ${prefix} should be generated. This
option allows specific ${prefix} files to be disabled.
'';
};
text = mkOption {
default = null;
type = types.nullOr types.lines;
description = "Text of the file.";
};
source = mkOption {
type = types.path;
description = "Path of the source file.";
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:26:33 +01:00
};
};
nixos/rspamd: Add options for postfix integration The `rmilter` module has options for configuring `postfix` to use it but since that module is deprecated because rspamd now has a builtin worker that supports the milter protocol this commit adds similar `postfix` integration options directly to the `rspamd` module.
2018-11-06 00:40:52 +01:00
config = {
nixos/rspamd: Add support for included files By default rspamd will look for multiple files in /etc/rspamd/local.d and /etc/rspamd/override.d to be included in subsections of the merged final config for rspamd. Most of the config snippets in the official rspamd documentation are made to these files and so it makes sense for NixOS to support them and this is what this commit does. As part of rspamd 1.8.1 support was added for having custom Lua rules stored in $LOCAL_CONFDIR/rspamd.local.lua which means that it is now possible for NixOS to support such rules and so this commit also adds support for this to the rspamd module.
2018-11-01 23:55:44 +01:00
source = mkIf (config.text != null) (
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:26:33 +01:00
let
nixos/rspamd: Add support for included files By default rspamd will look for multiple files in /etc/rspamd/local.d and /etc/rspamd/override.d to be included in subsections of the merged final config for rspamd. Most of the config snippets in the official rspamd documentation are made to these files and so it makes sense for NixOS to support them and this is what this commit does. As part of rspamd 1.8.1 support was added for having custom Lua rules stored in $LOCAL_CONFDIR/rspamd.local.lua which means that it is now possible for NixOS to support such rules and so this commit also adds support for this to the rspamd module.
2018-11-01 23:55:44 +01:00
name' = "rspamd-${prefix}-" + baseNameOf name;
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:26:33 +01:00
in
nixos/rspamd: Add support for included files By default rspamd will look for multiple files in /etc/rspamd/local.d and /etc/rspamd/override.d to be included in subsections of the merged final config for rspamd. Most of the config snippets in the official rspamd documentation are made to these files and so it makes sense for NixOS to support them and this is what this commit does. As part of rspamd 1.8.1 support was added for having custom Lua rules stored in $LOCAL_CONFDIR/rspamd.local.lua which means that it is now possible for NixOS to support such rules and so this commit also adds support for this to the rspamd module.
2018-11-01 23:55:44 +01:00
mkDefault (pkgs.writeText name' config.text)
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:26:33 +01:00
);
nixos/rspamd: Add support for included files By default rspamd will look for multiple files in /etc/rspamd/local.d and /etc/rspamd/override.d to be included in subsections of the merged final config for rspamd. Most of the config snippets in the official rspamd documentation are made to these files and so it makes sense for NixOS to support them and this is what this commit does. As part of rspamd 1.8.1 support was added for having custom Lua rules stored in $LOCAL_CONFDIR/rspamd.local.lua which means that it is now possible for NixOS to support such rules and so this commit also adds support for this to the rspamd module.
2018-11-01 23:55:44 +01:00
};
};
nixos/rspamd: Put extraConfig in included files The lines stored in `extraConfig` and `worker.<name?>.extraConfig` should take precedent over values from included files but in order to do this in rspamd UCL they need to be stored in a file that then gets included with a high priority. This commit uses the overrides option to store the value of the two `extraConfig` options in `extra-config.inc` and `worker-<name?>.inc` respectively.
2018-11-06 00:34:23 +01:00
configOverrides =
(mapAttrs' (
n: v:
nameValuePair "worker-${if n == "rspamd_proxy" then "proxy" else n}.inc" {
text = v.extraConfig;
}
) (filterAttrs (n: v: v.extraConfig != "") cfg.workers))
treewide: use use lib.optionalAttrs instead of 'then {}'
2023-06-04 14:20:51 +02:00
// (lib.optionalAttrs (cfg.extraConfig != "") {
nixos/rspamd: Put extraConfig in included files The lines stored in `extraConfig` and `worker.<name?>.extraConfig` should take precedent over values from included files but in order to do this in rspamd UCL they need to be stored in a file that then gets included with a high priority. This commit uses the overrides option to store the value of the two `extraConfig` options in `extra-config.inc` and `worker-<name?>.inc` respectively.
2018-11-06 00:34:23 +01:00
"extra-config.inc".text = cfg.extraConfig;
});
nixos: Add module for rspamd
2016-01-12 11:06:46 +02:00
in
{
###### interface
options = {
services.rspamd = {
nixos: correct improper uses of mkEnableOption, clarify service descriptions Several service definitions used `mkEnableOption` with text starting with "Whether to", which produced funny option descriptions like "Whether to enable Whether to run the rspamd daemon..". This commit corrects this, and adds short descriptions of services to affected service definitions.
2018-10-05 13:14:45 +07:00
enable = mkEnableOption "rspamd, the Rapid spam filtering system";
nixos: Add module for rspamd
2016-01-12 11:06:46 +02:00
debug = mkOption {
nixos/rspamd: options for worker configuration and socket activation
2018-02-03 19:04:31 +01:00
type = types.bool;
nixos: Add module for rspamd
2016-01-12 11:06:46 +02:00
default = false;
description = "Whether to run the rspamd daemon in debug mode.";
};
nixos/rspamd: Add support for included files By default rspamd will look for multiple files in /etc/rspamd/local.d and /etc/rspamd/override.d to be included in subsections of the merged final config for rspamd. Most of the config snippets in the official rspamd documentation are made to these files and so it makes sense for NixOS to support them and this is what this commit does. As part of rspamd 1.8.1 support was added for having custom Lua rules stored in $LOCAL_CONFDIR/rspamd.local.lua which means that it is now possible for NixOS to support such rules and so this commit also adds support for this to the rspamd module.
2018-11-01 23:55:44 +01:00
locals = mkOption {
nixos/rspamd: Fix enable for locals and overrides When implementing #49620 I included an enable option for both the locals and overrides options but the code writing the files didn't actually look at enable and so would write the file regardless of its value. I also set the type to loaOf which should have been attrsOf since the code was not written to handle the options being lists. This fixes both of those issues.
2018-11-05 17:50:34 +01:00
type = with types; attrsOf (submodule (configFileModule "locals"));
nixos/rspamd: Add support for included files By default rspamd will look for multiple files in /etc/rspamd/local.d and /etc/rspamd/override.d to be included in subsections of the merged final config for rspamd. Most of the config snippets in the official rspamd documentation are made to these files and so it makes sense for NixOS to support them and this is what this commit does. As part of rspamd 1.8.1 support was added for having custom Lua rules stored in $LOCAL_CONFDIR/rspamd.local.lua which means that it is now possible for NixOS to support such rules and so this commit also adds support for this to the rspamd module.
2018-11-01 23:55:44 +01:00
default = { };
description = ''
Local configuration files, written into {file}`/etc/rspamd/local.d/{name}`.
'';
nixos/doc: clean up defaults and examples
2021-10-03 18:06:03 +02:00
example = literalExpression ''
nixos/rspamd: Add support for included files By default rspamd will look for multiple files in /etc/rspamd/local.d and /etc/rspamd/override.d to be included in subsections of the merged final config for rspamd. Most of the config snippets in the official rspamd documentation are made to these files and so it makes sense for NixOS to support them and this is what this commit does. As part of rspamd 1.8.1 support was added for having custom Lua rules stored in $LOCAL_CONFDIR/rspamd.local.lua which means that it is now possible for NixOS to support such rules and so this commit also adds support for this to the rspamd module.
2018-11-01 23:55:44 +01:00
{ "redis.conf".source = "/nix/store/.../etc/dir/redis.conf";
"arc.conf".text = "allow_envfrom_empty = true;";
}
'';
};
overrides = mkOption {
nixos/rspamd: Fix enable for locals and overrides When implementing #49620 I included an enable option for both the locals and overrides options but the code writing the files didn't actually look at enable and so would write the file regardless of its value. I also set the type to loaOf which should have been attrsOf since the code was not written to handle the options being lists. This fixes both of those issues.
2018-11-05 17:50:34 +01:00
type = with types; attrsOf (submodule (configFileModule "overrides"));
nixos/rspamd: Add support for included files By default rspamd will look for multiple files in /etc/rspamd/local.d and /etc/rspamd/override.d to be included in subsections of the merged final config for rspamd. Most of the config snippets in the official rspamd documentation are made to these files and so it makes sense for NixOS to support them and this is what this commit does. As part of rspamd 1.8.1 support was added for having custom Lua rules stored in $LOCAL_CONFDIR/rspamd.local.lua which means that it is now possible for NixOS to support such rules and so this commit also adds support for this to the rspamd module.
2018-11-01 23:55:44 +01:00
default = { };
description = ''
Overridden configuration files, written into {file}`/etc/rspamd/override.d/{name}`.
'';
nixos/doc: clean up defaults and examples
2021-10-03 18:06:03 +02:00
example = literalExpression ''
nixos/rspamd: Add support for included files By default rspamd will look for multiple files in /etc/rspamd/local.d and /etc/rspamd/override.d to be included in subsections of the merged final config for rspamd. Most of the config snippets in the official rspamd documentation are made to these files and so it makes sense for NixOS to support them and this is what this commit does. As part of rspamd 1.8.1 support was added for having custom Lua rules stored in $LOCAL_CONFDIR/rspamd.local.lua which means that it is now possible for NixOS to support such rules and so this commit also adds support for this to the rspamd module.
2018-11-01 23:55:44 +01:00
{ "redis.conf".source = "/nix/store/.../etc/dir/redis.conf";
"arc.conf".text = "allow_envfrom_empty = true;";
}
'';
};
localLuaRules = mkOption {
default = null;
type = types.nullOr types.path;
description = ''
Path of file to link to {file}`/etc/rspamd/rspamd.local.lua` for local
rules written in Lua
'';
};
nixos/rspamd: options for worker configuration and socket activation
2018-02-03 19:04:31 +01:00
workers = mkOption {
type = with types; attrsOf (submodule workerOpts);
rspamd: configurable bindSocket and bindUISocket
2016-03-25 16:12:59 +02:00
description = ''
nixos/rspamd: options for worker configuration and socket activation
2018-02-03 19:04:31 +01:00
Attribute set of workers to start.
'';
default = {
normal = { };
controller = { };
};
nixos/doc: clean up defaults and examples
2021-10-03 18:06:03 +02:00
example = literalExpression ''
nixos/rspamd: options for worker configuration and socket activation
2018-02-03 19:04:31 +01:00
{
normal = {
includes = [ "$CONFDIR/worker-normal.inc" ];
bindSockets = [{
socket = "/run/rspamd/rspamd.sock";
mode = "0660";
treewide: make option examples constant escape interpolations in examples, or replace them where they are not useful.
2021-12-05 22:01:03 +01:00
owner = "''${config.${opt.user}}";
group = "''${config.${opt.group}}";
nixos/rspamd: options for worker configuration and socket activation
2018-02-03 19:04:31 +01:00
}];
};
controller = {
includes = [ "$CONFDIR/worker-controller.inc" ];
bindSockets = [ "[::1]:11334" ];
};
}
rspamd: configurable bindSocket and bindUISocket
2016-03-25 16:12:59 +02:00
'';
};
nixos/rspamd: add extraConfig parameter (#33226)
2017-12-31 16:11:15 +01:00
extraConfig = mkOption {
type = types.lines;
default = "";
description = ''
Extra configuration to add at the end of the rspamd configuration
file.
'';
};
nixos: Add module for rspamd
2016-01-12 11:06:46 +02:00
user = mkOption {
nixos/modules: Remove all usages of types.string And replace them with a more appropriate type Also fix up some minor module problems along the way
2019-08-08 22:48:27 +02:00
type = types.str;
nixos: Add module for rspamd
2016-01-12 11:06:46 +02:00
default = "rspamd";
description = ''
User to use when no root privileges are required.
'';
nixos/rspamd: Add defaults for rspamd_proxy worker
2018-11-06 00:32:14 +01:00
};
nixos: Add module for rspamd
2016-01-12 11:06:46 +02:00
group = mkOption {
nixos/modules: Remove all usages of types.string And replace them with a more appropriate type Also fix up some minor module problems along the way
2019-08-08 22:48:27 +02:00
type = types.str;
nixos: Add module for rspamd
2016-01-12 11:06:46 +02:00
default = "rspamd";
description = ''
Group to use when no root privileges are required.
'';
nixos/rspamd: Add options for postfix integration The `rmilter` module has options for configuring `postfix` to use it but since that module is deprecated because rspamd now has a builtin worker that supports the milter protocol this commit adds similar `postfix` integration options directly to the `rspamd` module.
2018-11-06 00:40:52 +01:00
};
postfix = {
enable = mkOption {
type = types.bool;
default = false;
description = "Add rspamd milter to postfix main.conf";
};
config = mkOption {
nixos/modules: Replace all nested types.either's with types.oneOf's
2019-08-08 23:35:52 +02:00
type =
with types;
attrsOf (oneOf [
bool
str
(listOf str)
]);
nixos/rspamd: Add options for postfix integration The `rmilter` module has options for configuring `postfix` to use it but since that module is deprecated because rspamd now has a builtin worker that supports the milter protocol this commit adds similar `postfix` integration options directly to the `rspamd` module.
2018-11-06 00:40:52 +01:00
description = ''
Addon to postfix configuration
'';
default = {
smtpd_milters = [ "unix:/run/rspamd/rspamd-milter.sock" ];
non_smtpd_milters = [ "unix:/run/rspamd/rspamd-milter.sock" ];
};
};
};
nixos: Add module for rspamd
2016-01-12 11:06:46 +02:00
};
};
###### implementation
config = mkIf cfg.enable {
nixos/rspamd: Put extraConfig in included files The lines stored in `extraConfig` and `worker.<name?>.extraConfig` should take precedent over values from included files but in order to do this in rspamd UCL they need to be stored in a file that then gets included with a high priority. This commit uses the overrides option to store the value of the two `extraConfig` options in `extra-config.inc` and `worker-<name?>.inc` respectively.
2018-11-06 00:34:23 +01:00
services.rspamd.overrides = configOverrides;
nixos/rspamd: Add options for postfix integration The `rmilter` module has options for configuring `postfix` to use it but since that module is deprecated because rspamd now has a builtin worker that supports the milter protocol this commit adds similar `postfix` integration options directly to the `rspamd` module.
2018-11-06 00:40:52 +01:00
services.rspamd.workers = mkIf cfg.postfix.enable {
controller = { };
rspamd_proxy = {
bindSockets = [
{
mode = "0660";
socket = "/run/rspamd/rspamd-milter.sock";
owner = cfg.user;
group = postfixCfg.group;
}
];
extraConfig = ''
upstream "local" {
default = yes; # Self-scan upstreams are always default
self_scan = yes; # Enable self-scan
}
'';
};
};
services.postfix.config = mkIf cfg.postfix.enable cfg.postfix.config;
nixos: Add module for rspamd
2016-01-12 11:06:46 +02:00
nixos/rspamd: Avoid empty postfix service
2021-08-22 03:05:43 +02:00
systemd.services.postfix = mkIf cfg.postfix.enable {
serviceConfig.SupplementaryGroups = [ postfixCfg.group ];
};
nixos/rspamd: fix postfix integration
2020-11-29 12:51:53 +01:00
nixos: Add module for rspamd
2016-01-12 11:06:46 +02:00
# Allow users to run 'rspamc' and 'rspamadm'.
environment.systemPackages = [ pkgs.rspamd ];
treewide: use attrs instead of list for types.loaOf options
2019-09-14 19:51:29 +02:00
users.users.${cfg.user} = {
nixos: Add module for rspamd
2016-01-12 11:06:46 +02:00
description = "rspamd daemon";
uid = config.ids.uids.rspamd;
group = cfg.group;
};
treewide: use attrs instead of list for types.loaOf options
2019-09-14 19:51:29 +02:00
users.groups.${cfg.group} = {
rspamd: configurable bindSocket and bindUISocket
2016-03-25 16:12:59 +02:00
gid = config.ids.gids.rspamd;
nixos: Add module for rspamd
2016-01-12 11:06:46 +02:00
};
treewide: remove redundant quotes
2019-08-13 21:52:01 +00:00
environment.etc.rspamd.source = rspamdDir;
nixos/rspamd: options for worker configuration and socket activation
2018-02-03 19:04:31 +01:00
nixos: Add module for rspamd
2016-01-12 11:06:46 +02:00
systemd.services.rspamd = {
description = "Rspamd Service";
nixos/rspamd: Remove non-working socket activation The socket activation I added to the rspamd module doesn't actually work and can't be made to work without changes to rspamd. See: #47421 See: rspamd/rspamd#2035
2018-09-28 04:00:24 +02:00
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
nixos/rspamd: Add support for included files By default rspamd will look for multiple files in /etc/rspamd/local.d and /etc/rspamd/override.d to be included in subsections of the merged final config for rspamd. Most of the config snippets in the official rspamd documentation are made to these files and so it makes sense for NixOS to support them and this is what this commit does. As part of rspamd 1.8.1 support was added for having custom Lua rules stored in $LOCAL_CONFDIR/rspamd.local.lua which means that it is now possible for NixOS to support such rules and so this commit also adds support for this to the rspamd module.
2018-11-01 23:55:44 +01:00
restartTriggers = [ rspamdDir ];
nixos: Add module for rspamd
2016-01-12 11:06:46 +02:00
serviceConfig = {
nixos/rspamd: add systemd service sandbox Drop preStart script in favour of systemd StateDirectory parameter.
2020-07-16 04:15:44 +02:00
ExecStart = "${pkgs.rspamd}/bin/rspamd ${optionalString cfg.debug "-d"} -c /etc/rspamd/rspamd.conf -f";
nixos: Add module for rspamd
2016-01-12 11:06:46 +02:00
Restart = "always";
nixos/rspamd: add systemd service sandbox Drop preStart script in favour of systemd StateDirectory parameter.
2020-07-16 04:15:44 +02:00
User = "${cfg.user}";
Group = "${cfg.group}";
nixos/rspamd: fix postfix integration
2020-11-29 12:51:53 +01:00
SupplementaryGroups = mkIf cfg.postfix.enable [ postfixCfg.group ];
nixos/rspamd: add systemd service sandbox Drop preStart script in favour of systemd StateDirectory parameter.
2020-07-16 04:15:44 +02:00
rspamd service: fix runtime directory, log to syslog Fixes #17144.
2016-07-28 06:03:38 +02:00
RuntimeDirectory = "rspamd";
nixos/rspamd: add systemd service sandbox Drop preStart script in favour of systemd StateDirectory parameter.
2020-07-16 04:15:44 +02:00
RuntimeDirectoryMode = "0755";
StateDirectory = "rspamd";
StateDirectoryMode = "0700";
nixos/rspamd: fixup cosmetics
2020-07-18 12:25:07 +02:00
AmbientCapabilities = [ ];
nixos/rspamd: Fix CapabilityBoundingSet option An empty list results in no CapabilityBoundingSet at all, an empty string however will set `CapabilityBoundingSet=`, which represents a closed set. Related: #120617
2021-04-25 20:26:22 +02:00
CapabilityBoundingSet = "";
nixos/rspamd: add systemd service sandbox Drop preStart script in favour of systemd StateDirectory parameter.
2020-07-16 04:15:44 +02:00
DevicePolicy = "closed";
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
rspamd service: fix runtime directory, log to syslog Fixes #17144.
2016-07-28 06:03:38 +02:00
PrivateTmp = true;
nixos/rspamd: fix postfix integration
2020-11-29 12:51:53 +01:00
# we need to chown socket to rspamd-milter
PrivateUsers = !cfg.postfix.enable;
nixos/rspamd: add systemd service sandbox Drop preStart script in favour of systemd StateDirectory parameter.
2020-07-16 04:15:44 +02:00
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
RemoveIPC = true;
nixos/rspamd: fixup cosmetics
2020-07-18 12:25:07 +02:00
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
nixos/rspamd: add systemd service sandbox Drop preStart script in favour of systemd StateDirectory parameter.
2020-07-16 04:15:44 +02:00
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = "@system-service";
UMask = "0077";
nixos: Add module for rspamd
2016-01-12 11:06:46 +02:00
};
};
};
nixos/rspamd: options for worker configuration and socket activation
2018-02-03 19:04:31 +01:00
imports = [
nixos/rspamd: Remove non-working socket activation The socket activation I added to the rspamd module doesn't actually work and can't be made to work without changes to rspamd. See: #47421 See: rspamd/rspamd#2035
2018-09-28 04:00:24 +02:00
(mkRemovedOptionModule [
"services"
"rspamd"
"socketActivation"
nixos/*: fix indentation
2020-11-22 17:23:53 +10:00
] "Socket activation never worked correctly and could at this time not be fixed and so was removed")
nixos/rspamd: options for worker configuration and socket activation
2018-02-03 19:04:31 +01:00
(mkRenamedOptionModule
[ "services" "rspamd" "bindSocket" ]
[ "services" "rspamd" "workers" "normal" "bindSockets" ]
)
(mkRenamedOptionModule
[ "services" "rspamd" "bindUISocket" ]
[ "services" "rspamd" "workers" "controller" "bindSockets" ]
)
nixos/treewide: Move rename.nix imports to their respective modules A centralized list for these renames is not good because: - It breaks disabledModules for modules that have a rename defined - Adding/removing renames for a module means having to find them in the central file - Merge conflicts due to multiple people editing the central file
2019-12-10 02:51:19 +01:00
(mkRemovedOptionModule [
"services"
"rmilter"
] "Use services.rspamd.* instead to set up milter service")
nixos/rspamd: options for worker configuration and socket activation
2018-02-03 19:04:31 +01:00
];
nixos: Add module for rspamd
2016-01-12 11:06:46 +02:00
}
Reference in a new issue Copy permalink