{ config, lib, ... }: let mail_config = config.mailserver; postfixCfg = config.services.postfix; rspamdCfg = config.services.rspamd; rspamdSocket = "rspamd.service"; in { config = lib.mkIf (mail_config.enable) { services.rspamd = { enable = true; debug = mail_config.debug_mode; locals = { "milter_headers.conf" = { text = '' extended_spam_headers = yes; ''; }; "redis.conf" = { text = '' servers = "127.0.0.1:${toString mail_config.rspamd_redis_port}"; ''; }; "classifier-bayes.conf" = { text = '' cache { backend = "redis"; } min_learns = 5; ''; }; "dkim_signing.conf" = { text = '' # opendkim does this enabled = false; ''; }; }; overrides = { "milter_headers.conf" = { text = '' extended_spam_headers = true; ''; }; }; workers.rspamd_proxy = { type = "rspamd_proxy"; bindSockets = [ { socket = "/run/rspamd/rspamd-milter.sock"; mode = "0664"; } ]; count = 1; extraConfig = '' milter = yes; timeout = 120s; upstream "local" { default = yes; self_scan = yes; } ''; }; workers.controller = { type = "controller"; count = 1; bindSockets = [ { socket = "/run/rspamd/worker-controller.sock"; mode = "0666"; } ]; includes = []; }; }; services.redis.servers.rspamd = { enable = true; port = mail_config.rspamd_redis_port; }; systemd.services.rspamd = { requires = ["redis-rspamd.service"]; after = ["redis-rspamd.service"]; }; systemd.services.postfix = { after = [rspamdSocket]; requires = [rspamdSocket]; }; users.extraUsers.${postfixCfg.user}.extraGroups = [rspamdCfg.group]; }; }