1 files changed, 58 insertions, 0 deletions
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index 057e29f3..23ac8aa1 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -32,9 +32,47 @@ let
      });
    };
+  nftables-nologin-script = pkgs.writeScript "nftables-mail-nologin" ''
+    #!${pkgs.zsh}/bin/zsh
+    set -e
+    export PATH="${lib.makeBinPath (with pkgs; [inetutils nftables])}:$PATH"
+    typeset -a as_sets route route6
+    as_sets=(${lib.escapeShellArgs config.services.email.nologinASSets})
+    for as_set in $as_sets; do
+        while IFS=$'\n' read line; do
+            if [[ "''${line}" =~ "^route:\s+(.+)$" ]]; then
+                route+=($match[1])
+            elif [[ "''${line}" =~ "^route6:\s+(.+)$" ]]; then
+                route6+=($match[1])
+            fi
+        done < <(whois -h whois.radb.net "!i''${as_set},1" | egrep -o 'AS[0-9]+' | xargs -- whois -h whois.radb.net -- -i origin)
+    done
+    printf -v elements4 '%s,' "''${route[@]}"
+    elements4=''${elements4%,}
+    printf -v elements6 '%s,' "''${route6[@]}"
+    elements6=''${elements6%,}
+    nft -f - <<EOF
+    flush set inet filter mail_nologin4
+    flush set inet filter mail_nologin6
+    add element inet filter mail_nologin4 {''${elements4}}
+    add element inet filter mail_nologin6 {''${elements6}}
+    EOF
+  '';
  spmDomains = ["bouncy.email"];
  emailDomains = spmDomains ++ ["kleen.consulting"];
 in {
+  options = {
+    services.email.nologinASSets = mkOption {
+      type = types.listOf types.str;
+      default = [];
+    };
+  };
  config = {
    nixpkgs.overlays = [
      (final: prev: {
@@ -918,5 +956,25 @@ in {
        id=REJECT_RL; action=450 4.7.1 Exceeding maximum of $$HIT_RATELIMIT_LIMIT recipients per $$HIT_RATELIMIT_INTERVAL seconds [$$HIT_RATECOUNT]
      '';
    };
+    services.email.nologinASSets = ["AS-MICROSOFT"];
+    systemd.services.nftables.serviceConfig = {
+      ExecStart = lib.mkAfter [ nftables-nologin-script ];
+      ExecReload = lib.mkAfter [ nftables-nologin-script ];
+    };
+    systemd.services."nftables-mail-nologin" = {
+      serviceConfig = {
+        Type = "oneshot";
+        ExecStart = nftables-nologin-script;
+      };
+    };
+    systemd.timers."nftables-mail-nologin" = {
+      wantedBy = [ "nftables.service" ];
+      timerConfig = {
+        OnActiveSec = "20h";
+        RandomizedDelaySec = "8h";
+      };
+    };
  };
 }

diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index 057e29f3..23ac8aa1 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix
@@ -32,9 +32,47 @@ let
32	});	32	});
33	};	33	};
34		34
		35	nftables-nologin-script = pkgs.writeScript "nftables-mail-nologin" ''
		36	#!${pkgs.zsh}/bin/zsh
		37
		38	set -e
		39	export PATH="${lib.makeBinPath (with pkgs; [inetutils nftables])}:$PATH"
		40
		41	typeset -a as_sets route route6
		42	as_sets=(${lib.escapeShellArgs config.services.email.nologinASSets})
		43
		44	for as_set in $as_sets; do
		45	while IFS=$'\n' read line; do
		46	if [[ "''${line}" =~ "^route:\s+(.+)$" ]]; then
		47	route+=($match[1])
		48	elif [[ "''${line}" =~ "^route6:\s+(.+)$" ]]; then
		49	route6+=($match[1])
		50	fi
		51	done < <(whois -h whois.radb.net "!i''${as_set},1" \| egrep -o 'AS[0-9]+' \| xargs -- whois -h whois.radb.net -- -i origin)
		52	done
		53
		54	printf -v elements4 '%s,' "''${route[@]}"
		55	elements4=''${elements4%,}
		56	printf -v elements6 '%s,' "''${route6[@]}"
		57	elements6=''${elements6%,}
		58	nft -f - <<EOF
		59	flush set inet filter mail_nologin4
		60	flush set inet filter mail_nologin6
		61	add element inet filter mail_nologin4 {''${elements4}}
		62	add element inet filter mail_nologin6 {''${elements6}}
		63	EOF
		64	'';
		65
35	spmDomains = ["bouncy.email"];	66	spmDomains = ["bouncy.email"];
36	emailDomains = spmDomains ++ ["kleen.consulting"];	67	emailDomains = spmDomains ++ ["kleen.consulting"];
37	in {	68	in {
		69	options = {
		70	services.email.nologinASSets = mkOption {
		71	type = types.listOf types.str;
		72	default = [];
		73	};
		74	};
		75
38	config = {	76	config = {
39	nixpkgs.overlays = [	77	nixpkgs.overlays = [
40	(final: prev: {	78	(final: prev: {
@@ -918,5 +956,25 @@ in {
918	id=REJECT_RL; action=450 4.7.1 Exceeding maximum of $$HIT_RATELIMIT_LIMIT recipients per $$HIT_RATELIMIT_INTERVAL seconds [$$HIT_RATECOUNT]	956	id=REJECT_RL; action=450 4.7.1 Exceeding maximum of $$HIT_RATELIMIT_LIMIT recipients per $$HIT_RATELIMIT_INTERVAL seconds [$$HIT_RATECOUNT]
919	'';	957	'';
920	};	958	};
		959
		960	services.email.nologinASSets = ["AS-MICROSOFT"];
		961	systemd.services.nftables.serviceConfig = {
		962	ExecStart = lib.mkAfter [ nftables-nologin-script ];
		963	ExecReload = lib.mkAfter [ nftables-nologin-script ];
		964	};
		965	systemd.services."nftables-mail-nologin" = {
		966	serviceConfig = {
		967	Type = "oneshot";
		968	ExecStart = nftables-nologin-script;
		969	};
		970	};
		971	systemd.timers."nftables-mail-nologin" = {
		972	wantedBy = [ "nftables.service" ];
		973
		974	timerConfig = {
		975	OnActiveSec = "20h";
		976	RandomizedDelaySec = "8h";
		977	};
		978	};
921	};	979	};
922	}	980	}