diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2024-08-08 11:36:56 +0200 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2024-08-08 11:36:56 +0200 |
commit | 14c880aa5187ad5a0d0cd2e43fec8248f10b3b7e (patch) | |
tree | 4d4acf8bac037eb833497b147d50d16dc6329b65 /hosts | |
parent | 63adb41f1a060c21a68143eb9e86c2790ef66f36 (diff) | |
download | nixos-14c880aa5187ad5a0d0cd2e43fec8248f10b3b7e.tar nixos-14c880aa5187ad5a0d0cd2e43fec8248f10b3b7e.tar.gz nixos-14c880aa5187ad5a0d0cd2e43fec8248f10b3b7e.tar.bz2 nixos-14c880aa5187ad5a0d0cd2e43fec8248f10b3b7e.tar.xz nixos-14c880aa5187ad5a0d0cd2e43fec8248f10b3b7e.zip |
...
Diffstat (limited to 'hosts')
-rw-r--r-- | hosts/surtr/email/default.nix | 4 | ||||
-rw-r--r-- | hosts/surtr/vpn/default.nix | 46 |
2 files changed, 21 insertions, 29 deletions
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index 9c3e8849..bb0f6e20 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix | |||
@@ -409,6 +409,10 @@ in { | |||
409 | modules = with pkgs; [ dovecot_pigeonhole dovecot_fts_xapian ]; | 409 | modules = with pkgs; [ dovecot_pigeonhole dovecot_fts_xapian ]; |
410 | mailPlugins.globally.enable = [ "fts" "fts_xapian" ]; | 410 | mailPlugins.globally.enable = [ "fts" "fts_xapian" ]; |
411 | protocols = [ "lmtp" "sieve" ]; | 411 | protocols = [ "lmtp" "sieve" ]; |
412 | sieve = { | ||
413 | extensions = ["copy" "imapsieve" "variables" "imap4flags" "vacation"]; | ||
414 | globalExtensions = ["copy" "imapsieve" "variables" "imap4flags" "vacation"]; | ||
415 | }; | ||
412 | extraConfig = let | 416 | extraConfig = let |
413 | dovecotSqlConf = pkgs.writeText "dovecot-sql.conf" '' | 417 | dovecotSqlConf = pkgs.writeText "dovecot-sql.conf" '' |
414 | driver = pgsql | 418 | driver = pgsql |
diff --git a/hosts/surtr/vpn/default.nix b/hosts/surtr/vpn/default.nix index 61a9d544..1d31a6f2 100644 --- a/hosts/surtr/vpn/default.nix +++ b/hosts/surtr/vpn/default.nix | |||
@@ -12,12 +12,25 @@ in { | |||
12 | "net.netfilter.nf_log_all_netns" = true; | 12 | "net.netfilter.nf_log_all_netns" = true; |
13 | }; | 13 | }; |
14 | 14 | ||
15 | networking.namespaces = { | 15 | containers."vpn" = { |
16 | enable = true; | 16 | autoStart = true; |
17 | containers."vpn".config = { | 17 | ephemeral = true; |
18 | additionalCapabilities = [ | ||
19 | "CAP_SYS_TTY_CONFIG" "CAP_NET_ADMIN" "CAP_NET_RAW" "CAP_SYS_ADMIN" | ||
20 | ]; | ||
21 | extraFlags = [ | ||
22 | "--load-credential=surtr.priv:/run/credentials/container@vpn.service/surtr.priv" | ||
23 | "--network-ipvlan=ens3:upstream" | ||
24 | ]; | ||
25 | config = { | ||
18 | boot.kernel.sysctl = { | 26 | boot.kernel.sysctl = { |
19 | "net.core.rmem_max" = 4194304; | 27 | "net.core.rmem_max" = 4194304; |
20 | "net.core.wmem_max" = 4194304; | 28 | "net.core.wmem_max" = 4194304; |
29 | |||
30 | "net.ipv6.conf.all.forwarding" = 1; | ||
31 | "net.ipv6.conf.default.forwarding" = 1; | ||
32 | "net.ipv4.conf.all.forwarding" = 1; | ||
33 | "net.ipv4.conf.default.forwarding" = 1; | ||
21 | }; | 34 | }; |
22 | 35 | ||
23 | environment = { | 36 | environment = { |
@@ -125,32 +138,7 @@ in { | |||
125 | }; | 138 | }; |
126 | 139 | ||
127 | systemd.services = { | 140 | systemd.services = { |
128 | "vpn-upstream" = { | 141 | "container@vpn" = { |
129 | bindsTo = ["netns@vpn.service"]; | ||
130 | after = ["netns@vpn.service"]; | ||
131 | serviceConfig = { | ||
132 | Type = "oneshot"; | ||
133 | RemainAfterExit = true; | ||
134 | ExecStop = "${pkgs.iproute2}/bin/ip netns exec vpn ip link delete upstream"; | ||
135 | }; | ||
136 | path = with pkgs; [ iproute2 procps ]; | ||
137 | script = '' | ||
138 | ip netns exec vpn sysctl \ | ||
139 | net.ipv6.conf.all.forwarding=1 \ | ||
140 | net.ipv6.conf.default.forwarding=1 \ | ||
141 | net.ipv4.conf.all.forwarding=1 \ | ||
142 | net.ipv4.conf.default.forwarding=1 | ||
143 | |||
144 | ip link add link ens3 name upstream type ipvlan mode l2 | ||
145 | ip link set upstream netns vpn | ||
146 | ''; | ||
147 | }; | ||
148 | |||
149 | "netns-container@vpn" = { | ||
150 | wantedBy = ["multi-user.target" "network-online.target"]; | ||
151 | after = ["vpn-upstream.service"]; | ||
152 | bindsTo = ["vpn-upstream.service"]; | ||
153 | |||
154 | serviceConfig = { | 142 | serviceConfig = { |
155 | LoadCredential = [ | 143 | LoadCredential = [ |
156 | "surtr.priv:${config.sops.secrets.vpn.path}" | 144 | "surtr.priv:${config.sops.secrets.vpn.path}" |