surtr: ...

author: Gregor Kleen <gkleen@yggdrasil.li> 2022-05-10 14:23:12 +0200
committer: Gregor Kleen <gkleen@yggdrasil.li> 2022-05-10 14:23:12 +0200
commit: 309ccbd03c262743cc339887e70082757b3cd247 (patch)
tree: 0ac49991dc451e94f29c863f0f2602bc3793b2ec
parent: 4f08f21232e31a31d76752f010c7b43b8f5e608f (diff)
download: nixos-309ccbd03c262743cc339887e70082757b3cd247.tar
nixos-309ccbd03c262743cc339887e70082757b3cd247.tar.gz
nixos-309ccbd03c262743cc339887e70082757b3cd247.tar.bz2
nixos-309ccbd03c262743cc339887e70082757b3cd247.tar.xz
nixos-309ccbd03c262743cc339887e70082757b3cd247.zip
4 files changed, 137 insertions, 18 deletions
diff --git a/hosts/surtr/email/ca/.gitignore b/hosts/surtr/email/ca/.gitignore
index bc1d3eaf..adafac92 100644
--- a/hosts/surtr/email/ca/.gitignore
+++ b/hosts/surtr/email/ca/.gitignore
@@ -2,4 +2,5 @@
 *.cnf
 *.old
 *.crt
+*.pkcs12
 certs
 \ No newline at end of file
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index 5d366ac5..e005a3c1 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -3,12 +3,22 @@
 with lib;
 let
-  compileSieve = name: text: pkgs.runCommand name {} ''
+  dovecotSievePipeBin = pkgs.stdenv.mkDerivation {
-    mkdir $out
+    name = "dovecot-sieve-pipe-bin";
-    cp ${pkgs.writeText name ''
+    src = ./dovecot-pipe-bin;
-    ''} $out/${name}
+    buildInputs = with pkgs; [ makeWrapper coreutils bash rspamd ];
-    ${pkgs.dovecot_pigeonhole}/bin/sievec $out/${name}
+    buildCommand = ''
-  '';
+      mkdir -p $out/pipe/bin
+      cp $src/* $out/pipe/bin/
+      chmod a+x $out/pipe/bin/*
+      patchShebangs $out/pipe/bin
+      for file in $out/pipe/bin/*; do
+        wrapProgram $file \
+          --set PATH "${pkgs.coreutils}/bin:${pkgs.rspamd}/bin"
+      done
+    '';
+  };
 in {
  config = {
    nixpkgs.overlays = [
@@ -193,7 +203,21 @@ in {
    services.rspamd = {
      enable = true;
      workers = {
-        controller = {};
+        controller = {
+          type = "controller";
+          count = 1;
+          bindSockets = [
+            { mode = "0660";
+              socket = "/run/rspamd/worker-controller.sock";
+              owner = config.services.rspamd.user;
+              group = config.services.rspamd.group;
+            }
+          ];
+          includes = [];
+          extraConfig = ''
+            static_dir = "''${WWWDIR}"; # Serve the web UI static assets
+          '';
+        };
        external = {
          type = "rspamd_proxy";
          bindSockets = [
@@ -205,6 +229,7 @@ in {
          ];
          extraConfig = ''
            milter = yes;
+            timeout = 120s;
            upstream "local" {
              default = yes;
@@ -269,7 +294,7 @@ in {
      };
    };
-    users.groups.${config.services.rspamd.group}.members = [ config.services.postfix.user ];
+    users.groups.${config.services.rspamd.group}.members = [ config.services.postfix.user "dovecot2" ];
    services.redis.servers.rspamd.enable = true;
@@ -281,8 +306,9 @@ in {
      sslServerCert = "/run/credentials/dovecot2.service/surtr.yggdrasil.li.pem";
      sslServerKey = "/run/credentials/dovecot2.service/surtr.yggdrasil.li.key.pem";
      sslCACert = toString ./ca/ca.crt;
-      mailLocation = "maildir:/var/lib/mail/%u/maildir:UTF-8";
+      mailLocation = "maildir:/var/lib/mail/%u/maildir:UTF-8:INDEX=/var/lib/dovecot/indices/%u";
-      modules = with pkgs; [ dovecot_pigeonhole ];
+      modules = with pkgs; [ dovecot_pigeonhole dovecot_fts_xapian ];
+      mailPlugins.globally.enable = [ "fts" "fts_xapian" ];
      protocols = [ "lmtp" "sieve" ];
      extraConfig = let
        dovecotSqlConf = pkgs.writeText "dovecot-sql.conf" ''
@@ -377,6 +403,23 @@ in {
          separator = /
          inbox = yes
          prefix = 
+          mailbox Trash {
+            auto = no
+            special_use = \Trash
+          }
+          mailbox Drafts {
+            auto = no
+            special_use = \Drafts
+          }
+          mailbox Sent {
+            auto = subscribe
+            special_use = \Sent
+          }
+          mailbox "Sent Messages" {
+            auto = no
+            special_use = \Sent
+          }
        }
        plugin {
@@ -410,20 +453,89 @@ in {
        plugin {
          sieve_plugins = sieve_imapsieve
+          sieve = file:~/sieve;active=~/dovecot.sieve
          sieve_redirect_envelope_from = orig_recipient
          sieve_before = /etc/dovecot/sieve_before.d
+          sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
+          sieve_pipe_bin_dir = ${dovecotSievePipeBin}/pipe/bin
+          imapsieve_mailbox1_name = *
+          imapsieve_mailbox1_causes = FLAG
+          imapsieve_mailbox1_before = /etc/dovecot/sieve_flag.d
+        }
+        plugin {
+          plugin = fts fts_xapian
+          fts = xapian
+          fts_xapian = partial=2 full=20 attachments=1 verbose=1
+          fts_autoindex = yes
+          fts_enforced = no
+        }
+        service indexer-worker {
+          vsz_limit = ${toString (1024 * 1024 * 1024)}
        }
      '';
    };
-    environment.etc."dovecot/sieve_before.d/tag-junk.sieve".text = ''
+    systemd.services.dovecot-fts-xapian-optimize = {
-      require ["imap4flags"];
+      description = "Optimize dovecot indices for fts_xapian";
+      requisite = [ "dovecot2.service" ];
+      after = [ "dovecot2.service" ];
+      startAt = "*-*-* 22:00:00 Europe/Berlin";
+      serviceConfig = {
+        Type = "oneshot";
+        ExecStart = "${pkgs.dovecot}/bin/doveadm fts optimize -A";
+        PrivateDevices = true;
+        PrivateNetwork = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectSystem = true;
+        PrivateTmp = true;
+      };
+    };
+    systemd.timers.dovecot-fts-xapian-optimize = {
+      timerConfig = {
+        RandomizedDelaySec = 4 * 3600;
+      };
+    };
+    environment.etc = {
+      "dovecot/sieve_before.d/tag-junk.sieve".text = ''
+        require ["imap4flags"];
-      if header :contains "X-Spam-Flag" "YES" {
+        if header :contains "X-Spam-Flag" "YES" {
-        addflag ["\\Junk"];
+          addflag ["\\Junk"];
-      }
+        }
-    '';
+      '';
+      "dovecot/sieve_flag.d/learn-junk.sieve".text = ''
+        require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables", "imap4flags"];
+        if environment :matches "imap.user" "*" {
+          set "username" "''${1}";
+        }
+        if environment :contains "imap.changedflags" "\\Junk" {
+          if hasflag "\\Junk" {
+            pipe :copy "learn_spam.sh" [ "''${username}" ];
+          } else {
+            if environment :matches "imap.mailbox" "*" {
+              set "mailbox" "''${1}";
+            }
+            if not string "''${mailbox}" "Trash" {
+              pipe :copy "learn_ham.sh" [ "''${username}" ];
+            }
+          }
+        }
+      '';
+    };
    security.dhparams = {
      params = {
@@ -452,7 +564,7 @@ in {
    systemd.services.dovecot2 = {
      preStart = ''
-        for f in /etc/dovecot/sieve_before.d/*.sieve; do
+        for f in /etc/dovecot/sieve_flag.d/*.sieve /etc/dovecot/sieve_before.d/*.sieve; do
          ${pkgs.dovecot_pigeonhole}/bin/sievec $f
        done
      '';
diff --git a/hosts/surtr/email/dovecot-pipe-bin/learn_ham.sh b/hosts/surtr/email/dovecot-pipe-bin/learn_ham.sh
new file mode 100644
index 00000000..6e0bb076
--- /dev/null
+++ b/hosts/surtr/email/dovecot-pipe-bin/learn_ham.sh
@@ -0,0 +1,3 @@
+#!/bin/bash -e
+exec rspamc -h /run/rspamd/worker-controller.sock learn_ham
diff --git a/hosts/surtr/email/dovecot-pipe-bin/learn_spam.sh b/hosts/surtr/email/dovecot-pipe-bin/learn_spam.sh
new file mode 100644
index 00000000..91dbd6c1
--- /dev/null
+++ b/hosts/surtr/email/dovecot-pipe-bin/learn_spam.sh
@@ -0,0 +1,3 @@
+#!/bin/bash -e
+exec rspamc -h /run/rspamd/worker-controller.sock learn_spam
author	Gregor Kleen <gkleen@yggdrasil.li>	2022-05-10 14:23:12 +0200
committer	Gregor Kleen <gkleen@yggdrasil.li>	2022-05-10 14:23:12 +0200
commit	309ccbd03c262743cc339887e70082757b3cd247 (patch)
tree	0ac49991dc451e94f29c863f0f2602bc3793b2ec
parent	4f08f21232e31a31d76752f010c7b43b8f5e608f (diff)
download	nixos-309ccbd03c262743cc339887e70082757b3cd247.tar nixos-309ccbd03c262743cc339887e70082757b3cd247.tar.gz nixos-309ccbd03c262743cc339887e70082757b3cd247.tar.bz2 nixos-309ccbd03c262743cc339887e70082757b3cd247.tar.xz nixos-309ccbd03c262743cc339887e70082757b3cd247.zip

diff --git a/hosts/surtr/email/ca/.gitignore b/hosts/surtr/email/ca/.gitignore index bc1d3eaf..adafac92 100644 --- a/hosts/surtr/email/ca/.gitignore +++ b/hosts/surtr/email/ca/.gitignore
@@ -2,4 +2,5 @@
2	*.cnf	2	*.cnf
3	*.old	3	*.old
4	*.crt	4	*.crt
		5	*.pkcs12
5	certs \ No newline at end of file	6	certs \ No newline at end of file


diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index 5d366ac5..e005a3c1 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix
@@ -3,12 +3,22 @@
3	with lib;	3	with lib;
4		4
5	let	5	let
6	compileSieve = name: text: pkgs.runCommand name {} ''	6	dovecotSievePipeBin = pkgs.stdenv.mkDerivation {
7	mkdir $out	7	name = "dovecot-sieve-pipe-bin";
8	cp ${pkgs.writeText name ''	8	src = ./dovecot-pipe-bin;
9	''} $out/${name}	9	buildInputs = with pkgs; [ makeWrapper coreutils bash rspamd ];
10	${pkgs.dovecot_pigeonhole}/bin/sievec $out/${name}	10	buildCommand = ''
11	'';	11	mkdir -p $out/pipe/bin
		12	cp $src/* $out/pipe/bin/
		13	chmod a+x $out/pipe/bin/*
		14	patchShebangs $out/pipe/bin
		15
		16	for file in $out/pipe/bin/*; do
		17	wrapProgram $file \
		18	--set PATH "${pkgs.coreutils}/bin:${pkgs.rspamd}/bin"
		19	done
		20	'';
		21	};
12	in {	22	in {
13	config = {	23	config = {
14	nixpkgs.overlays = [	24	nixpkgs.overlays = [
@@ -193,7 +203,21 @@ in {
193	services.rspamd = {	203	services.rspamd = {
194	enable = true;	204	enable = true;
195	workers = {	205	workers = {
196	controller = {};	206	controller = {
		207	type = "controller";
		208	count = 1;
		209	bindSockets = [
		210	{ mode = "0660";
		211	socket = "/run/rspamd/worker-controller.sock";
		212	owner = config.services.rspamd.user;
		213	group = config.services.rspamd.group;
		214	}
		215	];
		216	includes = [];
		217	extraConfig = ''
		218	static_dir = "''${WWWDIR}"; # Serve the web UI static assets
		219	'';
		220	};
197	external = {	221	external = {
198	type = "rspamd_proxy";	222	type = "rspamd_proxy";
199	bindSockets = [	223	bindSockets = [
@@ -205,6 +229,7 @@ in {
205	];	229	];
206	extraConfig = ''	230	extraConfig = ''
207	milter = yes;	231	milter = yes;
		232	timeout = 120s;
208		233
209	upstream "local" {	234	upstream "local" {
210	default = yes;	235	default = yes;
@@ -269,7 +294,7 @@ in {
269	};	294	};
270	};	295	};
271		296
272	users.groups.${config.services.rspamd.group}.members = [ config.services.postfix.user ];	297	users.groups.${config.services.rspamd.group}.members = [ config.services.postfix.user "dovecot2" ];
273		298
274	services.redis.servers.rspamd.enable = true;	299	services.redis.servers.rspamd.enable = true;
275		300
@@ -281,8 +306,9 @@ in {
281	sslServerCert = "/run/credentials/dovecot2.service/surtr.yggdrasil.li.pem";	306	sslServerCert = "/run/credentials/dovecot2.service/surtr.yggdrasil.li.pem";
282	sslServerKey = "/run/credentials/dovecot2.service/surtr.yggdrasil.li.key.pem";	307	sslServerKey = "/run/credentials/dovecot2.service/surtr.yggdrasil.li.key.pem";
283	sslCACert = toString ./ca/ca.crt;	308	sslCACert = toString ./ca/ca.crt;
284	mailLocation = "maildir:/var/lib/mail/%u/maildir:UTF-8";	309	mailLocation = "maildir:/var/lib/mail/%u/maildir:UTF-8:INDEX=/var/lib/dovecot/indices/%u";
285	modules = with pkgs; [ dovecot_pigeonhole ];	310	modules = with pkgs; [ dovecot_pigeonhole dovecot_fts_xapian ];
		311	mailPlugins.globally.enable = [ "fts" "fts_xapian" ];
286	protocols = [ "lmtp" "sieve" ];	312	protocols = [ "lmtp" "sieve" ];
287	extraConfig = let	313	extraConfig = let
288	dovecotSqlConf = pkgs.writeText "dovecot-sql.conf" ''	314	dovecotSqlConf = pkgs.writeText "dovecot-sql.conf" ''
@@ -377,6 +403,23 @@ in {
377	separator = /	403	separator = /
378	inbox = yes	404	inbox = yes
379	prefix =	405	prefix =
		406
		407	mailbox Trash {
		408	auto = no
		409	special_use = \Trash
		410	}
		411	mailbox Drafts {
		412	auto = no
		413	special_use = \Drafts
		414	}
		415	mailbox Sent {
		416	auto = subscribe
		417	special_use = \Sent
		418	}
		419	mailbox "Sent Messages" {
		420	auto = no
		421	special_use = \Sent
		422	}
380	}	423	}
381		424
382	plugin {	425	plugin {
@@ -410,20 +453,89 @@ in {
410		453
411	plugin {	454	plugin {
412	sieve_plugins = sieve_imapsieve	455	sieve_plugins = sieve_imapsieve
413		456	sieve = file:~/sieve;active=~/dovecot.sieve
414	sieve_redirect_envelope_from = orig_recipient	457	sieve_redirect_envelope_from = orig_recipient
415	sieve_before = /etc/dovecot/sieve_before.d	458	sieve_before = /etc/dovecot/sieve_before.d
		459
		460	sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
		461	sieve_pipe_bin_dir = ${dovecotSievePipeBin}/pipe/bin
		462
		463	imapsieve_mailbox1_name = *
		464	imapsieve_mailbox1_causes = FLAG
		465	imapsieve_mailbox1_before = /etc/dovecot/sieve_flag.d
		466	}
		467
		468	plugin {
		469	plugin = fts fts_xapian
		470	fts = xapian
		471	fts_xapian = partial=2 full=20 attachments=1 verbose=1
		472
		473	fts_autoindex = yes
		474
		475	fts_enforced = no
		476	}
		477
		478	service indexer-worker {
		479	vsz_limit = ${toString (1024 * 1024 * 1024)}
416	}	480	}
417	'';	481	'';
418	};	482	};
419		483
420	environment.etc."dovecot/sieve_before.d/tag-junk.sieve".text = ''	484	systemd.services.dovecot-fts-xapian-optimize = {
421	require ["imap4flags"];	485	description = "Optimize dovecot indices for fts_xapian";
		486	requisite = [ "dovecot2.service" ];
		487	after = [ "dovecot2.service" ];
		488	startAt = "--* 22:00:00 Europe/Berlin";
		489	serviceConfig = {
		490	Type = "oneshot";
		491	ExecStart = "${pkgs.dovecot}/bin/doveadm fts optimize -A";
		492	PrivateDevices = true;
		493	PrivateNetwork = true;
		494	ProtectKernelTunables = true;
		495	ProtectKernelModules = true;
		496	ProtectControlGroups = true;
		497	ProtectHome = true;
		498	ProtectSystem = true;
		499	PrivateTmp = true;
		500	};
		501	};
		502	systemd.timers.dovecot-fts-xapian-optimize = {
		503	timerConfig = {
		504	RandomizedDelaySec = 4 * 3600;
		505	};
		506	};
		507
		508	environment.etc = {
		509	"dovecot/sieve_before.d/tag-junk.sieve".text = ''
		510	require ["imap4flags"];
422		511
423	if header :contains "X-Spam-Flag" "YES" {	512	if header :contains "X-Spam-Flag" "YES" {
424	addflag ["\\Junk"];	513	addflag ["\\Junk"];
425	}	514	}
426	'';	515	'';
		516
		517	"dovecot/sieve_flag.d/learn-junk.sieve".text = ''
		518	require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables", "imap4flags"];
		519
		520	if environment :matches "imap.user" "*" {
		521	set "username" "''${1}";
		522	}
		523
		524	if environment :contains "imap.changedflags" "\\Junk" {
		525	if hasflag "\\Junk" {
		526	pipe :copy "learn_spam.sh" [ "''${username}" ];
		527	} else {
		528	if environment :matches "imap.mailbox" "*" {
		529	set "mailbox" "''${1}";
		530	}
		531
		532	if not string "''${mailbox}" "Trash" {
		533	pipe :copy "learn_ham.sh" [ "''${username}" ];
		534	}
		535	}
		536	}
		537	'';
		538	};
427		539
428	security.dhparams = {	540	security.dhparams = {
429	params = {	541	params = {
@@ -452,7 +564,7 @@ in {
452		564
453	systemd.services.dovecot2 = {	565	systemd.services.dovecot2 = {
454	preStart = ''	566	preStart = ''
455	for f in /etc/dovecot/sieve_before.d/*.sieve; do	567	for f in /etc/dovecot/sieve_flag.d/.sieve /etc/dovecot/sieve_before.d/.sieve; do
456	${pkgs.dovecot_pigeonhole}/bin/sievec $f	568	${pkgs.dovecot_pigeonhole}/bin/sievec $f
457	done	569	done
458	'';	570	'';


diff --git a/hosts/surtr/email/dovecot-pipe-bin/learn_ham.sh b/hosts/surtr/email/dovecot-pipe-bin/learn_ham.sh new file mode 100644 index 00000000..6e0bb076 --- /dev/null +++ b/hosts/surtr/email/dovecot-pipe-bin/learn_ham.sh
@@ -0,0 +1,3 @@
		1	#!/bin/bash -e
		2
		3	exec rspamc -h /run/rspamd/worker-controller.sock learn_ham


diff --git a/hosts/surtr/email/dovecot-pipe-bin/learn_spam.sh b/hosts/surtr/email/dovecot-pipe-bin/learn_spam.sh new file mode 100644 index 00000000..91dbd6c1 --- /dev/null +++ b/hosts/surtr/email/dovecot-pipe-bin/learn_spam.sh
@@ -0,0 +1,3 @@
		1	#!/bin/bash -e
		2
		3	exec rspamc -h /run/rspamd/worker-controller.sock learn_spam