dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

nixos/colony: Add mail server

Browse Source
This commit is contained in:
Jack O'Sullivan 2023-08-26 23:26:19 +01:00
parent 5804b683d4
commit ea03795dca
5 changed files with 74 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
lib/default.nix
View File

@ -233,6 +233,16 @@ rec {
v4 = subnet 8 3 all.v4;
v6 = subnet 4 3 all.v6;
};
cust = {
v4 = subnet 8 100 all.v4; # single ip for routing only
v6 = "2a0e:97c0:4d2:2000::/56";
};
mail = {
v4 = "94.142.241.227/32";
v6 = subnet 8 0 cust.v6;
};
vip1 = "94.142.241.224/30";
vip2 = "94.142.242.254/31";
};

28
nixos/boxes/colony/default.nix
View File

@ -230,6 +230,29 @@ in
matchConfig.Name = "vms0";
networkConfig.Bridge = "vms";
};
"90-vm-mail" = {
matchConfig.Name = "vm-mail";
address = [
(net.cidr.subnet 8 1 prefixes.cust.v4)
prefixes.mail.v6
];
networkConfig = {
IPv6AcceptRA = false;
IPv6SendRA = true;
};
ipv6Prefixes = [
{
ipv6PrefixConfig.Prefix = prefixes.mail.v6;
}
];
routes = map (r: { routeConfig = r; }) [
{
Destination = prefixes.mail.v4;
Scope = "link";
}
];
};
};
};
};
@ -260,10 +283,12 @@ in
firewall = {
trustedInterfaces = [ "vms" ];
extraRules = ''
define cust = { vm-mail }
table inet filter {
chain forward {
# Trust that the outer firewall has done the filtering!
iifname base oifname vms accept
iifname base oifname { vms, $cust } accept
iifname $cust accept # trust for now...
}
}
'';
@ -282,6 +307,7 @@ in
"oci"
"vm-estuary-persist"
"vm-whale2-persist"
"vm-mail-data"
];
compression = "zstd,5";
extraCreateArgs = [ "--stats" ];

22
nixos/boxes/colony/vms/default.nix
View File

@ -30,7 +30,8 @@
backend = {
driver = "file";
#filename = "${systems.installer.configuration.config.my.buildAs.iso}/iso/nixos-installer-devplayer0.iso";
filename = "/persist/home/dev/nixos-installer-devplayer0.iso";
#filename = "/persist/home/dev/nixos-installer-devplayer0.iso";
filename = "/persist/home/dev/debian-12.1.0-amd64-netinst.iso";
read-only = "on";
};
format.driver = "raw";
@ -197,6 +198,25 @@
}
]);
};
mail = {
uuid = "fd95fe0f-c204-4dd5-b16f-2b808e14a43a";
cpu = "host,topoext";
smp = {
cpus = 3;
threads = 2;
};
memory = 8192;
networks.public = {
bridge = null;
mac = "52:54:00:a8:d1:03";
};
cleanShutdown.timeout = 120;
drives = [
(mkMerge [ (vmLVM "mail" "root") { frontendOpts.bootindex = 0; } ])
(vmLVM "mail" "data")
];
};
};
};
};

14
nixos/boxes/colony/vms/estuary/default.nix
View File

@ -315,6 +315,10 @@ in
Destination = lib.my.colony.prefixes.vip1;
Gateway = allAssignments.colony.routing.ipv4.address;
}
{
Destination = lib.my.colony.prefixes.cust.v6;
Gateway = allAssignments.colony.internal.ipv6.address;
}
] ++
(map (pName: [
{
@ -364,7 +368,7 @@ in
server.enable = true;
firewall = {
trustedInterfaces = [ "base" "as211024" ];
trustedInterfaces = [ "as211024" ];
udp.allowed = [ 5353 lib.my.kelder.vpn.port ];
tcp.allowed = [ 5353 "bgp" ];
nat = {
@ -409,6 +413,10 @@ in
define ixps = { frys-ix, nl-ix, fogixp, ifog-transit }
table inet filter {
chain input {
iifname base meta l4proto { udp, tcp } th dport domain accept
}
chain routing-tcp {
# Safe enough to allow all SSH
tcp dport ssh accept
@ -422,6 +430,9 @@ in
return
}
chain filter-routing {
ip daddr ${prefixes.mail.v4} accept
ip6 daddr ${prefixes.cust.v6} accept
tcp flags & (fin|syn|rst|ack) == syn ct state new jump routing-tcp
meta l4proto udp ct state new jump routing-udp
return
@ -434,6 +445,7 @@ in
chain forward {
iifname { wan, $ixps } oifname base jump filter-routing
oifname $ixps jump ixp
iifname base oifname { wan, $ixps } accept
oifname { as211024, kelder } accept
}
chain output {

3
nixos/boxes/colony/vms/estuary/dns.nix
View File

@ -214,6 +214,9 @@ in
valheim IN A ${assignments.internal.ipv4.address}
valheim IN AAAA ${allAssignments.valheim-oci.internal.ipv6.address}
mail-vm IN A ${lib.my.net.cidr.host 0 lib.my.colony.prefixes.mail.v4}
mail-vm IN AAAA ${lib.my.net.cidr.host 1 lib.my.colony.prefixes.mail.v6}
andrey-cust IN A ${allAssignments.kelder.estuary.ipv4.address}
$TTL 3