From aff4f9117fc916a4bb1b440e15fcb86e3cd23325 Mon Sep 17 00:00:00 2001
From: Thomas Preisner <mail@tpreisner.de>
Date: Thu, 5 Dec 2024 15:38:11 +0100
Subject: [PATCH] mailsystem: rspamd: Add configuration options to make
 rspamd's web ui accessible

---
 mailsystem/rspamd.nix | 42 +++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 41 insertions(+), 1 deletion(-)

diff --git a/mailsystem/rspamd.nix b/mailsystem/rspamd.nix
index d9f3b51..9117072 100644
--- a/mailsystem/rspamd.nix
+++ b/mailsystem/rspamd.nix
@@ -6,6 +6,7 @@
 }:
 with (import ./common.nix {inherit config;}); let
   cfg = config.mailsystem;
+  nginxCfg = config.services.nginx;
   postfixCfg = config.services.postfix;
   redisCfg = config.services.redis.servers.rspamd;
   rspamdCfg = config.services.rspamd;
@@ -24,7 +25,27 @@ with (import ./common.nix {inherit config;}); let
     };
   };
 in {
+  options.mailsystem.rspamd.webUi = {
+    enable = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "Whether to enable the rspamd webui on `https://${config.mailsystem.fqdn}/rspamd`";
+    };
+
+    basicAuthFile = lib.mkOption {
+      type = lib.types.str;
+      description = "Path to basic auth file (entries can be generated using htpasswd)";
+    };
+  };
+
   config = lib.mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = !cfg.rspamd.webUi.enable || cfg.rspamd.webUi.basicAuthFile != null;
+        message = "Setting basicAuthFile is required if rspamd's web interface is enabled";
+      }
+    ];
+
     services.rspamd = {
       enable = true;
       overrides = {
@@ -47,6 +68,12 @@ in {
             servers = "${redisCfg.unixSocket}";
           '';
         };
+        "worker-controller.inc" = lib.mkIf cfg.rspamd.webUi.enable {
+          text = ''
+            secure_ip = "0.0.0.0/0";
+            secure_ip = "::/0";
+          '';
+        };
       };
 
       workers = {
@@ -76,12 +103,25 @@ in {
 
     systemd.sockets = {
       rspamd-proxy = genSystemdSocketCfg "proxy" rspamdProxySocket postfixCfg.user;
-      rspamd-controller = genSystemdSocketCfg "controller" rspamdControllerSocket "";
+      rspamd-controller = genSystemdSocketCfg "controller" rspamdControllerSocket (
+        lib.optionalString cfg.rspamd.webUi.enable nginxCfg.user
+      );
     };
 
     systemd.services.rspamd = {
       requires = ["redis-rspamd.service"];
       after = ["redis-rspamd.service"];
     };
+
+    services.nginx = lib.mkIf cfg.rspamd.webUi.enable {
+      enable = true;
+      virtualHosts."${cfg.fqdn}" = {
+        forceSSL = true;
+        locations."/rspamd" = {
+          proxyPass = "http://unix:${rspamdControllerSocket}:/";
+          basicAuthFile = cfg.rspamd.webUi.basicAuthFile;
+        };
+      };
+    };
   };
 }