nixos/colony: Add mail server

2023-08-26 23:26:19 +01:00
parent 5804b683d4
commit ea03795dca
5 changed files with 74 additions and 3 deletions
--- a/nixos/boxes/colony/vms/default.nix
+++ b/nixos/boxes/colony/vms/default.nix
@@ -30,7 +30,8 @@
      backend = {
        driver = "file";
        #filename = "${systems.installer.configuration.config.my.buildAs.iso}/iso/nixos-installer-devplayer0.iso";
-        filename = "/persist/home/dev/nixos-installer-devplayer0.iso";
+        #filename = "/persist/home/dev/nixos-installer-devplayer0.iso";
+        filename = "/persist/home/dev/debian-12.1.0-amd64-netinst.iso";
        read-only = "on";
      };
      format.driver = "raw";
@@ -197,6 +198,25 @@
              }
            ]);
          };
+
+          mail = {
+            uuid = "fd95fe0f-c204-4dd5-b16f-2b808e14a43a";
+            cpu = "host,topoext";
+            smp = {
+              cpus = 3;
+              threads = 2;
+            };
+            memory = 8192;
+            networks.public = {
+              bridge = null;
+              mac = "52:54:00:a8:d1:03";
+            };
+            cleanShutdown.timeout = 120;
+            drives = [
+              (mkMerge [ (vmLVM "mail" "root") { frontendOpts.bootindex = 0; } ])
+              (vmLVM "mail" "data")
+            ];
+          };
        };
      };
    };
--- a/nixos/boxes/colony/vms/estuary/default.nix
+++ b/nixos/boxes/colony/vms/estuary/default.nix
@@ -315,6 +315,10 @@ in
                          Destination = lib.my.colony.prefixes.vip1;
                          Gateway = allAssignments.colony.routing.ipv4.address;
                        }
+                        {
+                          Destination = lib.my.colony.prefixes.cust.v6;
+                          Gateway = allAssignments.colony.internal.ipv6.address;
+                        }
                      ] ++
                      (map (pName: [
                        {
@@ -364,7 +368,7 @@ in
              server.enable = true;

              firewall = {
-                trustedInterfaces = [ "base" "as211024" ];
+                trustedInterfaces = [ "as211024" ];
                udp.allowed = [ 5353 lib.my.kelder.vpn.port ];
                tcp.allowed = [ 5353 "bgp" ];
                nat = {
@@ -409,6 +413,10 @@ in
                  define ixps = { frys-ix, nl-ix, fogixp, ifog-transit }

                  table inet filter {
+                    chain input {
+                      iifname base meta l4proto { udp, tcp } th dport domain accept
+                    }
+
                    chain routing-tcp {
                      # Safe enough to allow all SSH
                      tcp dport ssh accept
@@ -422,6 +430,9 @@ in
                      return
                    }
                    chain filter-routing {
+                      ip daddr ${prefixes.mail.v4} accept
+                      ip6 daddr ${prefixes.cust.v6} accept
+
                      tcp flags & (fin|syn|rst|ack) == syn ct state new jump routing-tcp
                      meta l4proto udp ct state new jump routing-udp
                      return
@@ -434,6 +445,7 @@ in
                    chain forward {
                      iifname { wan, $ixps } oifname base jump filter-routing
                      oifname $ixps jump ixp
+                      iifname base oifname { wan, $ixps } accept
                      oifname { as211024, kelder } accept
                    }
                    chain output {
--- a/nixos/boxes/colony/vms/estuary/dns.nix
+++ b/nixos/boxes/colony/vms/estuary/dns.nix
@@ -214,6 +214,9 @@ in
            valheim IN A ${assignments.internal.ipv4.address}
            valheim IN AAAA ${allAssignments.valheim-oci.internal.ipv6.address}

+            mail-vm IN A ${lib.my.net.cidr.host 0 lib.my.colony.prefixes.mail.v4}
+            mail-vm IN AAAA ${lib.my.net.cidr.host 1 lib.my.colony.prefixes.mail.v6}
+
            andrey-cust IN A ${allAssignments.kelder.estuary.ipv4.address}

            $TTL 3