diff --git a/mailsystem/rspamd.nix b/mailsystem/rspamd.nix index 7211f2b..6418a9b 100644 --- a/mailsystem/rspamd.nix +++ b/mailsystem/rspamd.nix @@ -25,7 +25,27 @@ with (import ./common.nix {inherit config;}); let }; }; in { + options.mailsystem.rspamd.webUi = { + enable = lib.mkOption { + type = lib.types.bool; + default = true; + description = "Whether to enable the rspamd webui on `https://${config.mailsystem.fqdn}/rspamd`"; + }; + + basicAuthFile = lib.mkOption { + type = lib.types.str; + description = "Path to basic auth file"; + }; + }; + config = lib.mkIf cfg.enable { + assertions = [ + { + assertion = !cfg.rspamd.webUi.enable || cfg.rspamd.webUi.basicAuthFile != null; + message = "Setting basicAuthFile is required if rspamd's web interface is enabled"; + } + ]; + services.rspamd = { enable = true; overrides = { @@ -48,6 +68,12 @@ in { servers = "${redisCfg.unixSocket}"; ''; }; + "worker-controller.inc" = lib.mkIf cfg.rspamd.webUi.enable { + text = '' + secure_ip = "0.0.0.0/0"; + secure_ip = "::/0"; + ''; + }; }; workers = { @@ -77,12 +103,25 @@ in { systemd.sockets = { rspamd-proxy = genSystemdSocketCfg "proxy" rspamdProxySocket postfixCfg.user; - rspamd-controller = genSystemdSocketCfg "controller" rspamdControllerSocket ""; + rspamd-controller = genSystemdSocketCfg "controller" rspamdControllerSocket ( + lib.optionalString cfg.rspamd.webUi.enable nginxCfg.user + ); }; systemd.services.rspamd = { requires = ["redis-rspamd.service"]; after = ["redis-rspamd.service"]; }; + + services.nginx = lib.mkIf cfg.rspamd.webUi.enable { + enable = true; + virtualHosts."${cfg.fqdn}" = { + forceSSL = true; + locations."/rspamd" = { + proxyPass = "http://unix:${rspamdControllerSocket}:/"; + basicAuthFile = cfg.rspamd.webUi.basicAuthFile; + }; + }; + }; }; }