diff --git a/lib/default.nix b/lib/default.nix index 97e8fc4..f666a1e 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -233,6 +233,16 @@ rec { v4 = subnet 8 3 all.v4; v6 = subnet 4 3 all.v6; }; + + cust = { + v4 = subnet 8 100 all.v4; # single ip for routing only + v6 = "2a0e:97c0:4d2:2000::/56"; + }; + mail = { + v4 = "94.142.241.227/32"; + v6 = subnet 8 0 cust.v6; + }; + vip1 = "94.142.241.224/30"; vip2 = "94.142.242.254/31"; }; diff --git a/nixos/boxes/colony/default.nix b/nixos/boxes/colony/default.nix index 8998631..9051d42 100644 --- a/nixos/boxes/colony/default.nix +++ b/nixos/boxes/colony/default.nix @@ -230,6 +230,29 @@ in matchConfig.Name = "vms0"; networkConfig.Bridge = "vms"; }; + + "90-vm-mail" = { + matchConfig.Name = "vm-mail"; + address = [ + (net.cidr.subnet 8 1 prefixes.cust.v4) + prefixes.mail.v6 + ]; + networkConfig = { + IPv6AcceptRA = false; + IPv6SendRA = true; + }; + ipv6Prefixes = [ + { + ipv6PrefixConfig.Prefix = prefixes.mail.v6; + } + ]; + routes = map (r: { routeConfig = r; }) [ + { + Destination = prefixes.mail.v4; + Scope = "link"; + } + ]; + }; }; }; }; @@ -260,10 +283,12 @@ in firewall = { trustedInterfaces = [ "vms" ]; extraRules = '' + define cust = { vm-mail } table inet filter { chain forward { # Trust that the outer firewall has done the filtering! - iifname base oifname vms accept + iifname base oifname { vms, $cust } accept + iifname $cust accept # trust for now... } } ''; @@ -282,6 +307,7 @@ in "oci" "vm-estuary-persist" "vm-whale2-persist" + "vm-mail-data" ]; compression = "zstd,5"; extraCreateArgs = [ "--stats" ]; diff --git a/nixos/boxes/colony/vms/default.nix b/nixos/boxes/colony/vms/default.nix index 6d8d9d1..000706d 100644 --- a/nixos/boxes/colony/vms/default.nix +++ b/nixos/boxes/colony/vms/default.nix @@ -30,7 +30,8 @@ backend = { driver = "file"; #filename = "${systems.installer.configuration.config.my.buildAs.iso}/iso/nixos-installer-devplayer0.iso"; - filename = "/persist/home/dev/nixos-installer-devplayer0.iso"; + #filename = "/persist/home/dev/nixos-installer-devplayer0.iso"; + filename = "/persist/home/dev/debian-12.1.0-amd64-netinst.iso"; read-only = "on"; }; format.driver = "raw"; @@ -197,6 +198,25 @@ } ]); }; + + mail = { + uuid = "fd95fe0f-c204-4dd5-b16f-2b808e14a43a"; + cpu = "host,topoext"; + smp = { + cpus = 3; + threads = 2; + }; + memory = 8192; + networks.public = { + bridge = null; + mac = "52:54:00:a8:d1:03"; + }; + cleanShutdown.timeout = 120; + drives = [ + (mkMerge [ (vmLVM "mail" "root") { frontendOpts.bootindex = 0; } ]) + (vmLVM "mail" "data") + ]; + }; }; }; }; diff --git a/nixos/boxes/colony/vms/estuary/default.nix b/nixos/boxes/colony/vms/estuary/default.nix index dd41f68..ba08b17 100644 --- a/nixos/boxes/colony/vms/estuary/default.nix +++ b/nixos/boxes/colony/vms/estuary/default.nix @@ -315,6 +315,10 @@ in Destination = lib.my.colony.prefixes.vip1; Gateway = allAssignments.colony.routing.ipv4.address; } + { + Destination = lib.my.colony.prefixes.cust.v6; + Gateway = allAssignments.colony.internal.ipv6.address; + } ] ++ (map (pName: [ { @@ -364,7 +368,7 @@ in server.enable = true; firewall = { - trustedInterfaces = [ "base" "as211024" ]; + trustedInterfaces = [ "as211024" ]; udp.allowed = [ 5353 lib.my.kelder.vpn.port ]; tcp.allowed = [ 5353 "bgp" ]; nat = { @@ -409,6 +413,10 @@ in define ixps = { frys-ix, nl-ix, fogixp, ifog-transit } table inet filter { + chain input { + iifname base meta l4proto { udp, tcp } th dport domain accept + } + chain routing-tcp { # Safe enough to allow all SSH tcp dport ssh accept @@ -422,6 +430,9 @@ in return } chain filter-routing { + ip daddr ${prefixes.mail.v4} accept + ip6 daddr ${prefixes.cust.v6} accept + tcp flags & (fin|syn|rst|ack) == syn ct state new jump routing-tcp meta l4proto udp ct state new jump routing-udp return @@ -434,6 +445,7 @@ in chain forward { iifname { wan, $ixps } oifname base jump filter-routing oifname $ixps jump ixp + iifname base oifname { wan, $ixps } accept oifname { as211024, kelder } accept } chain output { diff --git a/nixos/boxes/colony/vms/estuary/dns.nix b/nixos/boxes/colony/vms/estuary/dns.nix index bba06d9..591a1f8 100644 --- a/nixos/boxes/colony/vms/estuary/dns.nix +++ b/nixos/boxes/colony/vms/estuary/dns.nix @@ -214,6 +214,9 @@ in valheim IN A ${assignments.internal.ipv4.address} valheim IN AAAA ${allAssignments.valheim-oci.internal.ipv6.address} + mail-vm IN A ${lib.my.net.cidr.host 0 lib.my.colony.prefixes.mail.v4} + mail-vm IN AAAA ${lib.my.net.cidr.host 1 lib.my.colony.prefixes.mail.v6} + andrey-cust IN A ${allAssignments.kelder.estuary.ipv4.address} $TTL 3