move modules to mail host

hosts/mail.cloonar.com/modules/rspamd.nix

@@ -0,0 +1,131 @@
+{ pkgs
+, config
+, ...
+}:
+let
+  domain = config.networking.domain;
+
+  localConfig = pkgs.writeText "local.conf" ''
+    logging {
+      level = "notice";
+    }
+    classifier "bayes" {
+      autolearn = true;
+    }
+    dkim_signing {
+      path = "/var/lib/rspamd/dkim/$domain.$selector.key";
+      selector = "default";
+      allow_username_mismatch = true;
+    }
+    arc {
+      path = "/var/lib/rspamd/dkim/$domain.$selector.key";
+      selector = "default";
+      allow_username_mismatch = true;
+    }
+    milter_headers {
+      use = ["authentication-results", "x-spam-status"];
+      authenticated_headers = ["authentication-results"];
+    }
+    replies {
+      action = "no action";
+    }
+    url_reputation {
+      enabled = true;
+    }
+    phishing {
+      openphish_enabled = true;
+      # too much memory
+      #phishtank_enabled = true;
+    }
+    neural {
+      enabled = true;
+    }
+    neural_group {
+      symbols = {
+        "NEURAL_SPAM" {
+          weight = 3.0; # sample weight
+          description = "Neural network spam";
+        }
+        "NEURAL_HAM" {
+          weight = -3.0; # sample weight
+          description = "Neural network ham";
+        }
+      }
+    }
+  '';
+
+  sieve-spam-filter = pkgs.callPackage ../pkgs/sieve-spam-filter { };
+in
+{
+  services.rspamd = {
+    enable = true;
+    extraConfig = ''
+      .include(priority=1,duplicate=merge) "${localConfig}"
+    '';
+
+    postfix.enable = true;
+    workers.controller = {
+      extraConfig = ''
+        count = 1;
+        static_dir = "''${WWWDIR}";
+        password = "$2$7rb4gnnw8qbcy3x3m7au8c4mezecfjim$da4ahtt3gnjtbj7ni6bt1q8jwgqtzxp5ck6941m6prjxsz3udfgb";
+        enable_password = "$2$xo1qdd1zgozwto8yazr1o35zbarbzcgp$u8mx6hcsb1qdscejb4zadcb3iucmm4mw6btgmim9h6e5d8cpy5ib";
+      '';
+    };
+  };
+
+  services.dovecot2 = {
+    mailboxes.Spam = {
+      auto = "subscribe";
+      specialUse = "Junk";
+    };
+    extraConfig = ''
+      protocol imap {
+        mail_plugins = $mail_plugins imap_sieve
+      }
+
+      plugin {
+        sieve_plugins = sieve_imapsieve sieve_extprograms
+
+        # From elsewhere to Spam folder
+        imapsieve_mailbox1_name = Spam
+        imapsieve_mailbox1_causes = COPY
+        imapsieve_mailbox1_before = file:/var/lib/dovecot/sieve/report-spam.sieve
+
+        # From Spam folder to elsewhere
+        imapsieve_mailbox2_name = *
+        imapsieve_mailbox2_from = Spam
+        imapsieve_mailbox2_causes = COPY
+        imapsieve_mailbox2_before = file:/var/lib/dovecot/sieve/report-ham.sieve
+
+        # Move Spam emails to Spam folder
+        sieve_before = /var/lib/dovecot/sieve/move-to-spam.sieve
+
+        sieve_pipe_bin_dir = ${sieve-spam-filter}/bin
+        sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
+      }
+    '';
+  };
+
+  services.nginx.enable = true;
+  services.nginx.virtualHosts."rspamd.${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = null;
+    locations."/".extraConfig = ''
+      proxy_pass http://localhost:11334;
+    '';
+  };
+
+  # systemd.services.rspamd.serviceConfig.SupplementaryGroups = [ "redis-rspamd" ];
+
+  systemd.services.dovecot2.preStart = ''
+    mkdir -p /var/lib/dovecot/sieve/
+    for i in ${sieve-spam-filter}/share/sieve-rspamd-filter/*.sieve; do
+      dest="/var/lib/dovecot/sieve/$(basename $i)"
+      cp "$i" "$dest"
+      ${pkgs.dovecot_pigeonhole}/bin/sievec "$dest"
+    done
+    chown -R "${config.services.dovecot2.mailUser}:${config.services.dovecot2.mailGroup}" /var/lib/dovecot/sieve
+  '';
+}