summaryrefslogtreecommitdiff
path: root/hosts
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2024-08-08 11:36:56 +0200
committerGregor Kleen <gkleen@yggdrasil.li>2024-08-08 11:36:56 +0200
commit14c880aa5187ad5a0d0cd2e43fec8248f10b3b7e (patch)
tree4d4acf8bac037eb833497b147d50d16dc6329b65 /hosts
parent63adb41f1a060c21a68143eb9e86c2790ef66f36 (diff)
downloadnixos-14c880aa5187ad5a0d0cd2e43fec8248f10b3b7e.tar
nixos-14c880aa5187ad5a0d0cd2e43fec8248f10b3b7e.tar.gz
nixos-14c880aa5187ad5a0d0cd2e43fec8248f10b3b7e.tar.bz2
nixos-14c880aa5187ad5a0d0cd2e43fec8248f10b3b7e.tar.xz
nixos-14c880aa5187ad5a0d0cd2e43fec8248f10b3b7e.zip
...
Diffstat (limited to 'hosts')
-rw-r--r--hosts/surtr/email/default.nix4
-rw-r--r--hosts/surtr/vpn/default.nix46
2 files changed, 21 insertions, 29 deletions
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index 9c3e8849..bb0f6e20 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -409,6 +409,10 @@ in {
409 modules = with pkgs; [ dovecot_pigeonhole dovecot_fts_xapian ]; 409 modules = with pkgs; [ dovecot_pigeonhole dovecot_fts_xapian ];
410 mailPlugins.globally.enable = [ "fts" "fts_xapian" ]; 410 mailPlugins.globally.enable = [ "fts" "fts_xapian" ];
411 protocols = [ "lmtp" "sieve" ]; 411 protocols = [ "lmtp" "sieve" ];
412 sieve = {
413 extensions = ["copy" "imapsieve" "variables" "imap4flags" "vacation"];
414 globalExtensions = ["copy" "imapsieve" "variables" "imap4flags" "vacation"];
415 };
412 extraConfig = let 416 extraConfig = let
413 dovecotSqlConf = pkgs.writeText "dovecot-sql.conf" '' 417 dovecotSqlConf = pkgs.writeText "dovecot-sql.conf" ''
414 driver = pgsql 418 driver = pgsql
diff --git a/hosts/surtr/vpn/default.nix b/hosts/surtr/vpn/default.nix
index 61a9d544..1d31a6f2 100644
--- a/hosts/surtr/vpn/default.nix
+++ b/hosts/surtr/vpn/default.nix
@@ -12,12 +12,25 @@ in {
12 "net.netfilter.nf_log_all_netns" = true; 12 "net.netfilter.nf_log_all_netns" = true;
13 }; 13 };
14 14
15 networking.namespaces = { 15 containers."vpn" = {
16 enable = true; 16 autoStart = true;
17 containers."vpn".config = { 17 ephemeral = true;
18 additionalCapabilities = [
19 "CAP_SYS_TTY_CONFIG" "CAP_NET_ADMIN" "CAP_NET_RAW" "CAP_SYS_ADMIN"
20 ];
21 extraFlags = [
22 "--load-credential=surtr.priv:/run/credentials/container@vpn.service/surtr.priv"
23 "--network-ipvlan=ens3:upstream"
24 ];
25 config = {
18 boot.kernel.sysctl = { 26 boot.kernel.sysctl = {
19 "net.core.rmem_max" = 4194304; 27 "net.core.rmem_max" = 4194304;
20 "net.core.wmem_max" = 4194304; 28 "net.core.wmem_max" = 4194304;
29
30 "net.ipv6.conf.all.forwarding" = 1;
31 "net.ipv6.conf.default.forwarding" = 1;
32 "net.ipv4.conf.all.forwarding" = 1;
33 "net.ipv4.conf.default.forwarding" = 1;
21 }; 34 };
22 35
23 environment = { 36 environment = {
@@ -125,32 +138,7 @@ in {
125 }; 138 };
126 139
127 systemd.services = { 140 systemd.services = {
128 "vpn-upstream" = { 141 "container@vpn" = {
129 bindsTo = ["netns@vpn.service"];
130 after = ["netns@vpn.service"];
131 serviceConfig = {
132 Type = "oneshot";
133 RemainAfterExit = true;
134 ExecStop = "${pkgs.iproute2}/bin/ip netns exec vpn ip link delete upstream";
135 };
136 path = with pkgs; [ iproute2 procps ];
137 script = ''
138 ip netns exec vpn sysctl \
139 net.ipv6.conf.all.forwarding=1 \
140 net.ipv6.conf.default.forwarding=1 \
141 net.ipv4.conf.all.forwarding=1 \
142 net.ipv4.conf.default.forwarding=1
143
144 ip link add link ens3 name upstream type ipvlan mode l2
145 ip link set upstream netns vpn
146 '';
147 };
148
149 "netns-container@vpn" = {
150 wantedBy = ["multi-user.target" "network-online.target"];
151 after = ["vpn-upstream.service"];
152 bindsTo = ["vpn-upstream.service"];
153
154 serviceConfig = { 142 serviceConfig = {
155 LoadCredential = [ 143 LoadCredential = [
156 "surtr.priv:${config.sops.secrets.vpn.path}" 144 "surtr.priv:${config.sops.secrets.vpn.path}"