Merge commit 'bc90ef66' into flakes

7 files changed, 212 insertions, 46 deletions

diff --git a/hosts/surtr/dns/zones/email.bouncy.soa b/hosts/surtr/dns/zones/email.bouncy.soa
index 40e4b78b..2b319a93 100644
--- a/hosts/surtr/dns/zones/email.bouncy.soa
+++ b/hosts/surtr/dns/zones/email.bouncy.soa
@@ -1,7 +1,7 @@
 $ORIGIN bouncy.email.
 $TTL 3600
 @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
-  2023020101 ; serial
+  2024070901 ; serial
   10800      ; refresh
   3600       ; retry
   604800     ; expire
@@ -41,10 +41,10 @@ mailin			IN	MX	0 mailin.bouncy.email.
 mailin                  IN      TXT     "v=spf1 redirect=bouncy.email"
 _acme-challenge.mailin  IN      NS      ns.yggdrasil.li.
 
-_25._tcp.mailin         IN      TLSA    2 1 1 276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10
-_25._tcp.mailin         IN      TLSA    2 1 1 bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270
-_25._tcp.mailin         IN      TLSA    2 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d
-_25._tcp.mailin         IN      TLSA    2 1 1 e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03
+; _25._tcp.mailin       IN      TLSA    2 1 1 276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10
+; _25._tcp.mailin       IN      TLSA    2 1 1 bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270
+; _25._tcp.mailin       IN      TLSA    2 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d
+; _25._tcp.mailin       IN      TLSA    2 1 1 e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03
 
 mailsub                 IN      A       202.61.241.61
 mailsub                 IN      AAAA    2a03:4000:52:ada::
diff --git a/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py b/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py
index f481090c..00182523 100644
--- a/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py
+++ b/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py
@@ -27,20 +27,27 @@ class PolicyHandler(StreamRequestHandler):
         logger.info('Connection parameters: %s', self.args)
 
         allowed = False
-        with self.server.db_pool.connection() as conn:
-            local, domain = self.args['sender'].split(sep='@', maxsplit=1)
-            extension = None
-            if '+' in local:
-                local, extension = local.split(sep='+', maxsplit=1)
-
-            logger.debug('Parsed address: %s', {'local': local, 'extension': extension, 'domain': domain})
-
-            with conn.cursor() as cur:
-                cur.row_factory = namedtuple_row
-                cur.execute('SELECT "mailbox"."mailbox" as "user", "local", "extension", "domain" FROM "mailbox" INNER JOIN "mailbox_mapping" ON "mailbox".id = "mailbox_mapping"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("local" = %(local)s OR "local" IS NULL) AND ("extension" = %(extension)s OR "extension" IS NULL) AND "domain" = %(domain)s', params = {'user': self.args['ccert_subject'], 'local': local, 'extension': extension if extension is not None else '', 'domain': domain}, prepare=True)
-                for record in cur:
-                    logger.debug('Received result: %s', record)
-                    allowed = True
+        user = None
+        if self.args['sasl_username']:
+            user = self.args['sasl_username']
+        if self.args['ccert_subject']:
+            user = self.args['ccert_subject']
+
+        if user:
+            with self.server.db_pool.connection() as conn:
+                local, domain = self.args['sender'].split(sep='@', maxsplit=1)
+                extension = None
+                if '+' in local:
+                    local, extension = local.split(sep='+', maxsplit=1)
+
+                logger.debug('Parsed address: %s', {'local': local, 'extension': extension, 'domain': domain})
+
+                with conn.cursor() as cur:
+                    cur.row_factory = namedtuple_row
+                    cur.execute('SELECT "mailbox"."mailbox" as "user", "local", "extension", "domain" FROM "mailbox" INNER JOIN "mailbox_mapping" ON "mailbox".id = "mailbox_mapping"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("local" = %(local)s OR "local" IS NULL) AND ("extension" = %(extension)s OR "extension" IS NULL) AND "domain" = %(domain)s', params = {'user': user, 'local': local, 'extension': extension if extension is not None else '', 'domain': domain}, prepare=True)
+                    for record in cur:
+                        logger.debug('Received result: %s', record)
+                        allowed = True
 
         action = '550 5.7.0 Sender address not authorized for current user'
         if allowed:
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index bb0f6e20..c10f611f 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -32,9 +32,63 @@ let
       });
     };
 
+  nftables-nologin-script = pkgs.writeScript "nftables-mail-nologin" ''
+    #!${pkgs.zsh}/bin/zsh
+
+    set -e
+    export PATH="${lib.makeBinPath (with pkgs; [inetutils nftables])}:$PATH"
+
+    typeset -a as_sets mnt_bys route route6
+    as_sets=(${lib.escapeShellArgs config.services.email.nologin.ASSets})
+    mnt_bys=(${lib.escapeShellArgs config.services.email.nologin.MNTBys})
+
+    for as_set in $as_sets; do
+        while IFS=$'\n' read line; do
+            if [[ "''${line}" =~ "^route:\s+(.+)$" ]]; then
+                route+=($match[1])
+            elif [[ "''${line}" =~ "^route6:\s+(.+)$" ]]; then
+                route6+=($match[1])
+            fi
+        done < <(whois -h whois.radb.net "!i''${as_set},1" | egrep -o 'AS[0-9]+' | xargs -- whois -h whois.radb.net -- -i origin)
+    done
+    for mnt_by in $mnt_bys; do
+        while IFS=$'\n' read line; do
+            if [[ "''${line}" =~ "^route:\s+(.+)$" ]]; then
+                route+=($match[1])
+            elif [[ "''${line}" =~ "^route6:\s+(.+)$" ]]; then
+                route6+=($match[1])
+            fi
+        done < <(whois -h whois.radb.net "!o''${mnt_by}")
+    done
+
+    printf -v elements4 '%s,' "''${route[@]}"
+    elements4=''${elements4%,}
+    printf -v elements6 '%s,' "''${route6[@]}"
+    elements6=''${elements6%,}
+    nft -f - <<EOF
+    flush set inet filter mail_nologin4
+    flush set inet filter mail_nologin6
+    add element inet filter mail_nologin4 {''${elements4}}
+    add element inet filter mail_nologin6 {''${elements6}}
+    EOF
+  '';
+
   spmDomains = ["bouncy.email"];
   emailDomains = spmDomains ++ ["kleen.consulting"];
 in {
+  options = {
+    services.email.nologin = {
+      ASSets = mkOption {
+        type = types.listOf types.str;
+        default = [];
+      };
+      MNTBys = mkOption {
+        type = types.listOf types.str;
+        default = [];
+      };
+    };
+  };
+
   config = {
     nixpkgs.overlays = [
       (final: prev: {
@@ -167,6 +221,7 @@ in {
         maximal_backoff_time = "10m";
         maximal_queue_lifetime = "100m";
         bounce_queue_lifetime = "20m";
+        delay_warning_time = "10m";
 
         smtpd_discard_ehlo_keyword_address_maps = "cidr:${pkgs.writeText "esmtp_access" ''
           # Allow DSN requests from local subnet only
@@ -204,17 +259,15 @@ in {
         postscreen_greet_action = "enforce";
       };
       masterConfig = {
-        smtps = {
+        "465" = {
           type = "inet";
           private = false;
-          command = "smtpd";
+          command = "smtpd -v";
           args = [
             "-o" "smtpd_tls_security_level=encrypt"
             "-o" "{smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2}"
             "-o" "{smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2}"
             "-o" "smtpd_tls_mandatory_ciphers=high"
-            "-o" "smtpd_tls_dh1024_param_file=${toString config.security.dhparams.params."postfix-smtps-1024".path}"
-            "-o" "smtpd_tls_dh512_param_file=${toString config.security.dhparams.params."postfix-smtps-512".path}"
             "-o" "{tls_eecdh_auto_curves = X25519 X448}"
 
             "-o" "smtpd_tls_wrappermode=yes"
@@ -223,22 +276,52 @@ in {
             "-o" "smtpd_tls_received_header=no"
             "-o" "cleanup_service_name=subcleanup"
             "-o" "smtpd_client_restrictions=permit_tls_all_clientcerts,reject"
-            "-o" "{smtpd_data_restrictions = check_policy_service unix:/run/postfwd3/postfwd3.sock}"
-            "-o" "smtpd_relay_restrictions=permit_tls_all_clientcerts,reject"
             "-o" "{smtpd_sender_restrictions = reject_unknown_sender_domain,reject_unverified_sender,check_policy_service unix:/run/postfix-ccert-sender-policy.sock}"
+            "-o" ''{smtpd_recipient_restrictions=reject_unauth_pipelining,reject_non_fqdn_recipient,reject_unknown_recipient_domain,check_recipient_access pgsql:${pkgs.writeText "check_recipient_access.cf" ''
+            hosts = postgresql:///email
+            dbname = email
+            query = SELECT action FROM virtual_mailbox_access WHERE lookup = '%s' OR (lookup = regexp_replace('%s', '\+[^@]*@', '@') AND NOT EXISTS (SELECT 1 FROM virtual_mailbox_access WHERE lookup = '%s'))
+          ''},permit_tls_all_clientcerts,reject}''
+            "-o" "smtpd_relay_restrictions=permit_tls_all_clientcerts,reject"
+            "-o" "{smtpd_data_restrictions = check_policy_service unix:/run/postfwd3/postfwd3.sock}"
             "-o" "unverified_sender_reject_code=550"
             "-o" "unverified_sender_reject_reason={Sender address rejected: undeliverable address}"
+            "-o" "milter_macro_daemon_name=surtr.yggdrasil.li"
+            "-o" ''smtpd_milters=${config.services.opendkim.socket}''
+          ];
+        };
+        "466" = {
+          type = "inet";
+          private = false;
+          command = "smtpd -v";
+          args = [
+            "-o" "smtpd_tls_security_level=encrypt"
+
+            "-o" "smtpd_tls_wrappermode=yes"
+            "-o" "smtpd_tls_ask_ccert=no"
+            "-o" "smtpd_tls_req_ccert=no"
+            "-o" "smtpd_sasl_type=dovecot"
+            "-o" "smtpd_sasl_path=/run/dovecot-sasl"
+            "-o" "smtpd_sasl_auth_enable=yes"
+            "-o" "smtpd_tls_received_header=no"
+            "-o" "cleanup_service_name=subcleanup"
+            "-o" "smtpd_client_restrictions=permit_sasl_authenticated,reject"
+            "-o" "{smtpd_sender_restrictions = reject_unknown_sender_domain,reject_unverified_sender,check_policy_service unix:/run/postfix-ccert-sender-policy.sock}"
             "-o" ''{smtpd_recipient_restrictions=reject_unauth_pipelining,reject_non_fqdn_recipient,reject_unknown_recipient_domain,check_recipient_access pgsql:${pkgs.writeText "check_recipient_access.cf" ''
             hosts = postgresql:///email
             dbname = email
             query = SELECT action FROM virtual_mailbox_access WHERE lookup = '%s' OR (lookup = regexp_replace('%s', '\+[^@]*@', '@') AND NOT EXISTS (SELECT 1 FROM virtual_mailbox_access WHERE lookup = '%s'))
-          ''},permit_tls_all_clientcerts,reject}''
+          ''},permit_sasl_authenticated,reject}''
+            "-o" "smtpd_relay_restrictions=permit_sasl_authenticated,reject"
+            "-o" "{smtpd_data_restrictions = check_policy_service unix:/run/postfwd3/postfwd3.sock}"
+            "-o" "unverified_sender_reject_code=550"
+            "-o" "unverified_sender_reject_reason={Sender address rejected: undeliverable address}"
             "-o" "milter_macro_daemon_name=surtr.yggdrasil.li"
             "-o" ''smtpd_milters=${config.services.opendkim.socket}''
           ];
         };
         subcleanup = {
-          command = "cleanup";
+          command = "cleanup -v";
           private = false;
           maxproc = 0;
           args = [
@@ -256,13 +339,13 @@ in {
         smtp_pass = {
           name = "smtpd";
           type = "pass";
-          command = "smtpd";
+          command = "smtpd -v";
         };
         postscreen = {
           name = "smtp";
           type = "inet";
           private = false;
-          command = "postscreen";
+          command = "postscreen -v";
           maxproc = 1;
         };
         smtp = {};
@@ -417,7 +500,7 @@ in {
         dovecotSqlConf = pkgs.writeText "dovecot-sql.conf" ''
           driver = pgsql
           connect = dbname=email
-          password_query = SELECT NULL as password, 'Y' as nopassword, "user", quota_rule, 'dovecot2' as uid, 'dovecot2' as gid FROM imap_user WHERE "user" = '%n'
+          password_query = SELECT (CASE WHEN '%k' = 'valid' AND '%m' = 'EXTERNAL' THEN NULL ELSE "password" END) as password, (CASE WHEN '%k' = 'valid' AND '%m' = 'EXTERNAL' THEN true WHEN password IS NULL THEN true ELSE NULL END) as nopassword, "user", quota_rule, 'dovecot2' as uid, 'dovecot2' as gid FROM imap_user WHERE "user" = '%n'
           user_query = SELECT "user", quota_rule, 'dovecot2' as uid, 'dovecot2' as gid FROM imap_user WHERE "user" = '%n'
           iterate_query = SELECT "user" FROM imap_user
         '';
@@ -449,7 +532,7 @@ in {
 
         auth_ssl_username_from_cert = yes
         ssl_cert_username_field = commonName
-        auth_mechanisms = external
+        auth_mechanisms = plain login external
 
         auth_verbose = yes
         verbose_ssl = yes
@@ -505,6 +588,15 @@ in {
             group = postfix
           }
         }
+        service auth {
+          vsz_limit = 2G
+
+          unix_listener /run/dovecot-sasl {
+            mode = 0600
+            user = postfix
+            group = postfix
+          }
+        }
 
         namespace inbox {
           separator = /
@@ -869,9 +961,13 @@ in {
 
     services.postfwd = {
       enable = true;
+      cache = false;
       rules = ''
-        id=RCPT01; protocol_state=DATA; protocol_state=END-OF-MESSAGE; action=rcpt(ccert_subject/100/3600/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=100,HIT_RATELIMIT_INTERVAL=3600))
-        id=RCPT02; protocol_state=DATA; protocol_state=END-OF-MESSAGE; action=rcpt(ccert_subject/1000/86400/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=1000,HIT_RATELIMIT_INTERVAL=86400))
+        id=RCPT_SASL01; protocol_state=DATA; protocol_state=END-OF-MESSAGE; sasl_username!=; action=rcpt(sasl_username/100/3600/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=100,HIT_RATELIMIT_INTERVAL=3600))
+        id=RCPT_SASL02; protocol_state=DATA; protocol_state=END-OF-MESSAGE; sasl_username!=; action=rcpt(sasl_username/1000/86400/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=1000,HIT_RATELIMIT_INTERVAL=86400))
+
+        id=RCPT_CCERT01; protocol_state=DATA; protocol_state=END-OF-MESSAGE; ccert_subject!=; action=rcpt(ccert_subject/100/3600/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=100,HIT_RATELIMIT_INTERVAL=3600))
+        id=RCPT_CCERT02; protocol_state=DATA; protocol_state=END-OF-MESSAGE; ccert_subject!=; action=rcpt(ccert_subject/1000/86400/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=1000,HIT_RATELIMIT_INTERVAL=86400))
 
         id=JUMP_REJECT_RL; HIT_RATELIMIT=="1"; action=jump(REJECT_RL)
 
@@ -880,5 +976,25 @@ in {
         id=REJECT_RL; action=450 4.7.1 Exceeding maximum of $$HIT_RATELIMIT_LIMIT recipients per $$HIT_RATELIMIT_INTERVAL seconds [$$HIT_RATECOUNT]
       '';
     };
+
+    services.email.nologin.MNTBys = ["MICROSOFT-MAINT"];
+    systemd.services.nftables.serviceConfig = {
+      ExecStart = lib.mkAfter [ nftables-nologin-script ];
+      ExecReload = lib.mkAfter [ nftables-nologin-script ];
+    };
+    systemd.services."nftables-mail-nologin" = {
+      serviceConfig = {
+        Type = "oneshot";
+        ExecStart = nftables-nologin-script;
+      };
+    };
+    systemd.timers."nftables-mail-nologin" = {
+      wantedBy = [ "nftables.service" ];
+
+      timerConfig = {
+        OnActiveSec = "20h";
+        RandomizedDelaySec = "8h";
+      };
+    };
   };
 }
diff --git a/hosts/surtr/postgresql/default.nix b/hosts/surtr/postgresql/default.nix
index f0e42ee8..583e4443 100644
--- a/hosts/surtr/postgresql/default.nix
+++ b/hosts/surtr/postgresql/default.nix
@@ -262,6 +262,20 @@ in {
 
           GRANT DELETE ON "mailbox_mapping" TO "spm";
           COMMIT;
+
+          BEGIN;
+          SELECT _v.register_patch('011-password', ARRAY['000-base'], null);
+
+          ALTER TABLE mailbox ADD COLUMN password text CONSTRAINT password_non_empty CHECK (password IS DISTINCT FROM ''');
+          COMMIT;
+
+          BEGIN;
+          SELECT _v.register_patch('012-imap-password', ARRAY['000-base', '002-citext'], null);
+
+          DROP VIEW imap_user;
+          CREATE VIEW imap_user ("user", "password", quota_rule) AS SELECT mailbox.mailbox AS "user", "password", quota_rule FROM mailbox_quota_rule INNER JOIN mailbox ON mailbox_quota_rule.mailbox = mailbox.mailbox;
+
+          COMMIT;
         ''}
 
         psql etebase postgres -eXf ${pkgs.writeText "etebase.sql" ''
diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft
index ee72614f..5c2bba7c 100644
--- a/hosts/surtr/ruleset.nft
+++ b/hosts/surtr/ruleset.nft
@@ -86,6 +86,7 @@ table inet filter {
 
   counter established-rx {}
 
+  counter reject-mail-nologin {}
   counter reject-ratelimit-rx {}
   counter reject-rx {}
   counter reject-tcp-rx {}
@@ -114,6 +115,17 @@ table inet filter {
 
   counter tx {}
 
+  set mail_nologin4 {
+    type ipv4_addr
+    flags interval
+    auto-merge
+  }
+  set mail_nologin6 {
+    type ipv6_addr
+    flags interval
+    auto-merge
+  }
+
   chain forward {
     type filter hook forward priority filter
     policy drop
@@ -145,6 +157,14 @@ table inet filter {
     counter name drop-fw
   }
 
+  chain reject_input {
+    limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop
+    log level debug prefix "reject input: " counter name reject-rx
+    meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset
+    ct state new counter name reject-icmp-rx reject
+
+    counter name drop-rx
+  }
   chain input {
     type filter hook input priority filter
     policy drop
@@ -177,8 +197,11 @@ table inet filter {
     udp dport {3478, 5349} counter name stun-rx accept
     udp dport 49000-50000 counter name turn-rx accept
 
+    tcp dport {465,466,993,4190} ip saddr @mail_nologin4 log prefix "mail nologin: " counter name reject-mail-nologin jump reject_input
+    tcp dport {465,466,993,4190} ip6 saddr @mail_nologin6 log prefix "mail nologin: " counter name reject-mail-nologin jump reject_input
+
     tcp dport 25 counter name smtp-rx accept
-    tcp dport 465 counter name submissions-rx accept
+    tcp dport {465, 466} counter name submissions-rx accept
     tcp dport 993 counter name imaps-rx accept
     tcp dport 4190 counter name managesieve-rx accept
     iifname yggdrasil tcp dport 8432 counter name pgbackrest-rx accept
@@ -186,13 +209,7 @@ table inet filter {
     ct state {established, related} counter name established-rx accept
 
 
-    limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop
-    log level debug prefix "reject input: " counter name reject-rx
-    meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset
-    ct state new counter name reject-icmp-rx reject
-
-
-    counter name drop-rx
+    jump reject_input
   }
 
   chain output {
@@ -224,7 +241,7 @@ table inet filter {
     udp sport 49000-50000 counter name turn-tx accept
 
     tcp sport 25 counter name smtp-tx accept
-    tcp sport 465 counter name submissions-tx accept
+    tcp sport {465, 466} counter name submissions-tx accept
     tcp sport 993 counter name imaps-tx accept
     tcp sport 4190 counter name managesieve-tx accept
     tcp sport 8432 counter name pgbackrest-tx accept
@@ -232,4 +249,4 @@ table inet filter {
 
     counter name tx
   }
-}
\ No newline at end of file
+}
diff --git a/hosts/surtr/vpn/default.nix b/hosts/surtr/vpn/default.nix
index 1d31a6f2..3f7483bd 100644
--- a/hosts/surtr/vpn/default.nix
+++ b/hosts/surtr/vpn/default.nix
@@ -66,6 +66,15 @@ in {
 
         systemd.network = {
           netdevs = {
+            upstream = {
+              netdevConfig = {
+                Name = "upstream";
+                Kind = "ipvlan";
+              };
+              ipvlanConfig = {
+                Mode = "L2";
+              };
+            };
             vpn = {
               netdevConfig = {
                 Name = "vpn";
diff --git a/hosts/surtr/zfs.nix b/hosts/surtr/zfs.nix
index 583ab8e1..17c5cd32 100644
--- a/hosts/surtr/zfs.nix
+++ b/hosts/surtr/zfs.nix
@@ -17,7 +17,7 @@
           fsType = "zfs";
           neededForBoot = true;
         };
-      
+
       "/var/lib/nixos" =
         { device = "surtr/local/var-lib-nixos";
           fsType = "zfs";
@@ -62,10 +62,13 @@
     };
 
     services.zfssnap.enable = true;
-    services.zfs.trim.enable = false;
+    services.zfs.trim = {
+      enable = true;
+      interval = "Sun 16:00:00 Europe/Berlin";
+    };
     services.zfs.autoScrub = {
       enable = true;
-      interval = "Sun *-*-1..7 04:00:00";
+      interval = "Sun *-*-1..7 04:00:00 Europe/Berlin";
     };
     services.zfs.zed.settings = {
       ZED_SYSLOG_SUBCLASS_EXCLUDE = "history_event";