mailsystem: rspamd: Add configuration options to make rspamd's web ui accessible

2024-12-05 15:38:11 +01:00 · 2024-12-05 15:38:11 +01:00 · aff4f9117f
commit aff4f9117f
parent aacf9a9b8c
1 changed files with 41 additions and 1 deletions
--- a/mailsystem/rspamd.nix
+++ b/mailsystem/rspamd.nix
@ -6,6 +6,7 @@
 }:
 with (import ./common.nix {inherit config;}); let
  cfg = config.mailsystem;
+  nginxCfg = config.services.nginx;
  postfixCfg = config.services.postfix;
  redisCfg = config.services.redis.servers.rspamd;
  rspamdCfg = config.services.rspamd;
@ -24,7 +25,27 @@ with (import ./common.nix {inherit config;}); let
    };
  };
 in {
+  options.mailsystem.rspamd.webUi = {
+    enable = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "Whether to enable the rspamd webui on `https://${config.mailsystem.fqdn}/rspamd`";
+    };
+
+    basicAuthFile = lib.mkOption {
+      type = lib.types.str;
+      description = "Path to basic auth file (entries can be generated using htpasswd)";
+    };
+  };
+
  config = lib.mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = !cfg.rspamd.webUi.enable || cfg.rspamd.webUi.basicAuthFile != null;
+        message = "Setting basicAuthFile is required if rspamd's web interface is enabled";
+      }
+    ];
+
    services.rspamd = {
      enable = true;
      overrides = {
@ -47,6 +68,12 @@ in {
            servers = "${redisCfg.unixSocket}";
          '';
        };
+        "worker-controller.inc" = lib.mkIf cfg.rspamd.webUi.enable {
+          text = ''
+            secure_ip = "0.0.0.0/0";
+            secure_ip = "::/0";
+          '';
+        };
      };

      workers = {
@ -76,12 +103,25 @@ in {

    systemd.sockets = {
      rspamd-proxy = genSystemdSocketCfg "proxy" rspamdProxySocket postfixCfg.user;
-      rspamd-controller = genSystemdSocketCfg "controller" rspamdControllerSocket "";
+      rspamd-controller = genSystemdSocketCfg "controller" rspamdControllerSocket (
+        lib.optionalString cfg.rspamd.webUi.enable nginxCfg.user
+      );
    };

    systemd.services.rspamd = {
      requires = ["redis-rspamd.service"];
      after = ["redis-rspamd.service"];
    };
+
+    services.nginx = lib.mkIf cfg.rspamd.webUi.enable {
+      enable = true;
+      virtualHosts."${cfg.fqdn}" = {
+        forceSSL = true;
+        locations."/rspamd" = {
+          proxyPass = "http://unix:${rspamdControllerSocket}:/";
+          basicAuthFile = cfg.rspamd.webUi.basicAuthFile;
+        };
+      };
+    };
  };
 }