summaryrefslogtreecommitdiff
path: root/hosts/surtr
diff options
context:
space:
mode:
Diffstat (limited to 'hosts/surtr')
-rw-r--r--hosts/surtr/dns/zones/email.bouncy.soa10
-rw-r--r--hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py35
-rw-r--r--hosts/surtr/email/default.nix144
-rw-r--r--hosts/surtr/postgresql/default.nix14
-rw-r--r--hosts/surtr/ruleset.nft37
-rw-r--r--hosts/surtr/vpn/default.nix9
-rw-r--r--hosts/surtr/zfs.nix9
7 files changed, 212 insertions, 46 deletions
diff --git a/hosts/surtr/dns/zones/email.bouncy.soa b/hosts/surtr/dns/zones/email.bouncy.soa
index 40e4b78b..2b319a93 100644
--- a/hosts/surtr/dns/zones/email.bouncy.soa
+++ b/hosts/surtr/dns/zones/email.bouncy.soa
@@ -1,7 +1,7 @@
1$ORIGIN bouncy.email. 1$ORIGIN bouncy.email.
2$TTL 3600 2$TTL 3600
3@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( 3@ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li (
4 2023020101 ; serial 4 2024070901 ; serial
5 10800 ; refresh 5 10800 ; refresh
6 3600 ; retry 6 3600 ; retry
7 604800 ; expire 7 604800 ; expire
@@ -41,10 +41,10 @@ mailin IN MX 0 mailin.bouncy.email.
41mailin IN TXT "v=spf1 redirect=bouncy.email" 41mailin IN TXT "v=spf1 redirect=bouncy.email"
42_acme-challenge.mailin IN NS ns.yggdrasil.li. 42_acme-challenge.mailin IN NS ns.yggdrasil.li.
43 43
44_25._tcp.mailin IN TLSA 2 1 1 276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10 44; _25._tcp.mailin IN TLSA 2 1 1 276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10
45_25._tcp.mailin IN TLSA 2 1 1 bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270 45; _25._tcp.mailin IN TLSA 2 1 1 bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270
46_25._tcp.mailin IN TLSA 2 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d 46; _25._tcp.mailin IN TLSA 2 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d
47_25._tcp.mailin IN TLSA 2 1 1 e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03 47; _25._tcp.mailin IN TLSA 2 1 1 e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03
48 48
49mailsub IN A 202.61.241.61 49mailsub IN A 202.61.241.61
50mailsub IN AAAA 2a03:4000:52:ada:: 50mailsub IN AAAA 2a03:4000:52:ada::
diff --git a/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py b/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py
index f481090c..00182523 100644
--- a/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py
+++ b/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py
@@ -27,20 +27,27 @@ class PolicyHandler(StreamRequestHandler):
27 logger.info('Connection parameters: %s', self.args) 27 logger.info('Connection parameters: %s', self.args)
28 28
29 allowed = False 29 allowed = False
30 with self.server.db_pool.connection() as conn: 30 user = None
31 local, domain = self.args['sender'].split(sep='@', maxsplit=1) 31 if self.args['sasl_username']:
32 extension = None 32 user = self.args['sasl_username']
33 if '+' in local: 33 if self.args['ccert_subject']:
34 local, extension = local.split(sep='+', maxsplit=1) 34 user = self.args['ccert_subject']
35 35
36 logger.debug('Parsed address: %s', {'local': local, 'extension': extension, 'domain': domain}) 36 if user:
37 37 with self.server.db_pool.connection() as conn:
38 with conn.cursor() as cur: 38 local, domain = self.args['sender'].split(sep='@', maxsplit=1)
39 cur.row_factory = namedtuple_row 39 extension = None
40 cur.execute('SELECT "mailbox"."mailbox" as "user", "local", "extension", "domain" FROM "mailbox" INNER JOIN "mailbox_mapping" ON "mailbox".id = "mailbox_mapping"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("local" = %(local)s OR "local" IS NULL) AND ("extension" = %(extension)s OR "extension" IS NULL) AND "domain" = %(domain)s', params = {'user': self.args['ccert_subject'], 'local': local, 'extension': extension if extension is not None else '', 'domain': domain}, prepare=True) 40 if '+' in local:
41 for record in cur: 41 local, extension = local.split(sep='+', maxsplit=1)
42 logger.debug('Received result: %s', record) 42
43 allowed = True 43 logger.debug('Parsed address: %s', {'local': local, 'extension': extension, 'domain': domain})
44
45 with conn.cursor() as cur:
46 cur.row_factory = namedtuple_row
47 cur.execute('SELECT "mailbox"."mailbox" as "user", "local", "extension", "domain" FROM "mailbox" INNER JOIN "mailbox_mapping" ON "mailbox".id = "mailbox_mapping"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("local" = %(local)s OR "local" IS NULL) AND ("extension" = %(extension)s OR "extension" IS NULL) AND "domain" = %(domain)s', params = {'user': user, 'local': local, 'extension': extension if extension is not None else '', 'domain': domain}, prepare=True)
48 for record in cur:
49 logger.debug('Received result: %s', record)
50 allowed = True
44 51
45 action = '550 5.7.0 Sender address not authorized for current user' 52 action = '550 5.7.0 Sender address not authorized for current user'
46 if allowed: 53 if allowed:
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index bb0f6e20..c10f611f 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -32,9 +32,63 @@ let
32 }); 32 });
33 }; 33 };
34 34
35 nftables-nologin-script = pkgs.writeScript "nftables-mail-nologin" ''
36 #!${pkgs.zsh}/bin/zsh
37
38 set -e
39 export PATH="${lib.makeBinPath (with pkgs; [inetutils nftables])}:$PATH"
40
41 typeset -a as_sets mnt_bys route route6
42 as_sets=(${lib.escapeShellArgs config.services.email.nologin.ASSets})
43 mnt_bys=(${lib.escapeShellArgs config.services.email.nologin.MNTBys})
44
45 for as_set in $as_sets; do
46 while IFS=$'\n' read line; do
47 if [[ "''${line}" =~ "^route:\s+(.+)$" ]]; then
48 route+=($match[1])
49 elif [[ "''${line}" =~ "^route6:\s+(.+)$" ]]; then
50 route6+=($match[1])
51 fi
52 done < <(whois -h whois.radb.net "!i''${as_set},1" | egrep -o 'AS[0-9]+' | xargs -- whois -h whois.radb.net -- -i origin)
53 done
54 for mnt_by in $mnt_bys; do
55 while IFS=$'\n' read line; do
56 if [[ "''${line}" =~ "^route:\s+(.+)$" ]]; then
57 route+=($match[1])
58 elif [[ "''${line}" =~ "^route6:\s+(.+)$" ]]; then
59 route6+=($match[1])
60 fi
61 done < <(whois -h whois.radb.net "!o''${mnt_by}")
62 done
63
64 printf -v elements4 '%s,' "''${route[@]}"
65 elements4=''${elements4%,}
66 printf -v elements6 '%s,' "''${route6[@]}"
67 elements6=''${elements6%,}
68 nft -f - <<EOF
69 flush set inet filter mail_nologin4
70 flush set inet filter mail_nologin6
71 add element inet filter mail_nologin4 {''${elements4}}
72 add element inet filter mail_nologin6 {''${elements6}}
73 EOF
74 '';
75
35 spmDomains = ["bouncy.email"]; 76 spmDomains = ["bouncy.email"];
36 emailDomains = spmDomains ++ ["kleen.consulting"]; 77 emailDomains = spmDomains ++ ["kleen.consulting"];
37in { 78in {
79 options = {
80 services.email.nologin = {
81 ASSets = mkOption {
82 type = types.listOf types.str;
83 default = [];
84 };
85 MNTBys = mkOption {
86 type = types.listOf types.str;
87 default = [];
88 };
89 };
90 };
91
38 config = { 92 config = {
39 nixpkgs.overlays = [ 93 nixpkgs.overlays = [
40 (final: prev: { 94 (final: prev: {
@@ -167,6 +221,7 @@ in {
167 maximal_backoff_time = "10m"; 221 maximal_backoff_time = "10m";
168 maximal_queue_lifetime = "100m"; 222 maximal_queue_lifetime = "100m";
169 bounce_queue_lifetime = "20m"; 223 bounce_queue_lifetime = "20m";
224 delay_warning_time = "10m";
170 225
171 smtpd_discard_ehlo_keyword_address_maps = "cidr:${pkgs.writeText "esmtp_access" '' 226 smtpd_discard_ehlo_keyword_address_maps = "cidr:${pkgs.writeText "esmtp_access" ''
172 # Allow DSN requests from local subnet only 227 # Allow DSN requests from local subnet only
@@ -204,17 +259,15 @@ in {
204 postscreen_greet_action = "enforce"; 259 postscreen_greet_action = "enforce";
205 }; 260 };
206 masterConfig = { 261 masterConfig = {
207 smtps = { 262 "465" = {
208 type = "inet"; 263 type = "inet";
209 private = false; 264 private = false;
210 command = "smtpd"; 265 command = "smtpd -v";
211 args = [ 266 args = [
212 "-o" "smtpd_tls_security_level=encrypt" 267 "-o" "smtpd_tls_security_level=encrypt"
213 "-o" "{smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2}" 268 "-o" "{smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2}"
214 "-o" "{smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2}" 269 "-o" "{smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2}"
215 "-o" "smtpd_tls_mandatory_ciphers=high" 270 "-o" "smtpd_tls_mandatory_ciphers=high"
216 "-o" "smtpd_tls_dh1024_param_file=${toString config.security.dhparams.params."postfix-smtps-1024".path}"
217 "-o" "smtpd_tls_dh512_param_file=${toString config.security.dhparams.params."postfix-smtps-512".path}"
218 "-o" "{tls_eecdh_auto_curves = X25519 X448}" 271 "-o" "{tls_eecdh_auto_curves = X25519 X448}"
219 272
220 "-o" "smtpd_tls_wrappermode=yes" 273 "-o" "smtpd_tls_wrappermode=yes"
@@ -223,22 +276,52 @@ in {
223 "-o" "smtpd_tls_received_header=no" 276 "-o" "smtpd_tls_received_header=no"
224 "-o" "cleanup_service_name=subcleanup" 277 "-o" "cleanup_service_name=subcleanup"
225 "-o" "smtpd_client_restrictions=permit_tls_all_clientcerts,reject" 278 "-o" "smtpd_client_restrictions=permit_tls_all_clientcerts,reject"
226 "-o" "{smtpd_data_restrictions = check_policy_service unix:/run/postfwd3/postfwd3.sock}"
227 "-o" "smtpd_relay_restrictions=permit_tls_all_clientcerts,reject"
228 "-o" "{smtpd_sender_restrictions = reject_unknown_sender_domain,reject_unverified_sender,check_policy_service unix:/run/postfix-ccert-sender-policy.sock}" 279 "-o" "{smtpd_sender_restrictions = reject_unknown_sender_domain,reject_unverified_sender,check_policy_service unix:/run/postfix-ccert-sender-policy.sock}"
280 "-o" ''{smtpd_recipient_restrictions=reject_unauth_pipelining,reject_non_fqdn_recipient,reject_unknown_recipient_domain,check_recipient_access pgsql:${pkgs.writeText "check_recipient_access.cf" ''
281 hosts = postgresql:///email
282 dbname = email
283 query = SELECT action FROM virtual_mailbox_access WHERE lookup = '%s' OR (lookup = regexp_replace('%s', '\+[^@]*@', '@') AND NOT EXISTS (SELECT 1 FROM virtual_mailbox_access WHERE lookup = '%s'))
284 ''},permit_tls_all_clientcerts,reject}''
285 "-o" "smtpd_relay_restrictions=permit_tls_all_clientcerts,reject"
286 "-o" "{smtpd_data_restrictions = check_policy_service unix:/run/postfwd3/postfwd3.sock}"
229 "-o" "unverified_sender_reject_code=550" 287 "-o" "unverified_sender_reject_code=550"
230 "-o" "unverified_sender_reject_reason={Sender address rejected: undeliverable address}" 288 "-o" "unverified_sender_reject_reason={Sender address rejected: undeliverable address}"
289 "-o" "milter_macro_daemon_name=surtr.yggdrasil.li"
290 "-o" ''smtpd_milters=${config.services.opendkim.socket}''
291 ];
292 };
293 "466" = {
294 type = "inet";
295 private = false;
296 command = "smtpd -v";
297 args = [
298 "-o" "smtpd_tls_security_level=encrypt"
299
300 "-o" "smtpd_tls_wrappermode=yes"
301 "-o" "smtpd_tls_ask_ccert=no"
302 "-o" "smtpd_tls_req_ccert=no"
303 "-o" "smtpd_sasl_type=dovecot"
304 "-o" "smtpd_sasl_path=/run/dovecot-sasl"
305 "-o" "smtpd_sasl_auth_enable=yes"
306 "-o" "smtpd_tls_received_header=no"
307 "-o" "cleanup_service_name=subcleanup"
308 "-o" "smtpd_client_restrictions=permit_sasl_authenticated,reject"
309 "-o" "{smtpd_sender_restrictions = reject_unknown_sender_domain,reject_unverified_sender,check_policy_service unix:/run/postfix-ccert-sender-policy.sock}"
231 "-o" ''{smtpd_recipient_restrictions=reject_unauth_pipelining,reject_non_fqdn_recipient,reject_unknown_recipient_domain,check_recipient_access pgsql:${pkgs.writeText "check_recipient_access.cf" '' 310 "-o" ''{smtpd_recipient_restrictions=reject_unauth_pipelining,reject_non_fqdn_recipient,reject_unknown_recipient_domain,check_recipient_access pgsql:${pkgs.writeText "check_recipient_access.cf" ''
232 hosts = postgresql:///email 311 hosts = postgresql:///email
233 dbname = email 312 dbname = email
234 query = SELECT action FROM virtual_mailbox_access WHERE lookup = '%s' OR (lookup = regexp_replace('%s', '\+[^@]*@', '@') AND NOT EXISTS (SELECT 1 FROM virtual_mailbox_access WHERE lookup = '%s')) 313 query = SELECT action FROM virtual_mailbox_access WHERE lookup = '%s' OR (lookup = regexp_replace('%s', '\+[^@]*@', '@') AND NOT EXISTS (SELECT 1 FROM virtual_mailbox_access WHERE lookup = '%s'))
235 ''},permit_tls_all_clientcerts,reject}'' 314 ''},permit_sasl_authenticated,reject}''
315 "-o" "smtpd_relay_restrictions=permit_sasl_authenticated,reject"
316 "-o" "{smtpd_data_restrictions = check_policy_service unix:/run/postfwd3/postfwd3.sock}"
317 "-o" "unverified_sender_reject_code=550"
318 "-o" "unverified_sender_reject_reason={Sender address rejected: undeliverable address}"
236 "-o" "milter_macro_daemon_name=surtr.yggdrasil.li" 319 "-o" "milter_macro_daemon_name=surtr.yggdrasil.li"
237 "-o" ''smtpd_milters=${config.services.opendkim.socket}'' 320 "-o" ''smtpd_milters=${config.services.opendkim.socket}''
238 ]; 321 ];
239 }; 322 };
240 subcleanup = { 323 subcleanup = {
241 command = "cleanup"; 324 command = "cleanup -v";
242 private = false; 325 private = false;
243 maxproc = 0; 326 maxproc = 0;
244 args = [ 327 args = [
@@ -256,13 +339,13 @@ in {
256 smtp_pass = { 339 smtp_pass = {
257 name = "smtpd"; 340 name = "smtpd";
258 type = "pass"; 341 type = "pass";
259 command = "smtpd"; 342 command = "smtpd -v";
260 }; 343 };
261 postscreen = { 344 postscreen = {
262 name = "smtp"; 345 name = "smtp";
263 type = "inet"; 346 type = "inet";
264 private = false; 347 private = false;
265 command = "postscreen"; 348 command = "postscreen -v";
266 maxproc = 1; 349 maxproc = 1;
267 }; 350 };
268 smtp = {}; 351 smtp = {};
@@ -417,7 +500,7 @@ in {
417 dovecotSqlConf = pkgs.writeText "dovecot-sql.conf" '' 500 dovecotSqlConf = pkgs.writeText "dovecot-sql.conf" ''
418 driver = pgsql 501 driver = pgsql
419 connect = dbname=email 502 connect = dbname=email
420 password_query = SELECT NULL as password, 'Y' as nopassword, "user", quota_rule, 'dovecot2' as uid, 'dovecot2' as gid FROM imap_user WHERE "user" = '%n' 503 password_query = SELECT (CASE WHEN '%k' = 'valid' AND '%m' = 'EXTERNAL' THEN NULL ELSE "password" END) as password, (CASE WHEN '%k' = 'valid' AND '%m' = 'EXTERNAL' THEN true WHEN password IS NULL THEN true ELSE NULL END) as nopassword, "user", quota_rule, 'dovecot2' as uid, 'dovecot2' as gid FROM imap_user WHERE "user" = '%n'
421 user_query = SELECT "user", quota_rule, 'dovecot2' as uid, 'dovecot2' as gid FROM imap_user WHERE "user" = '%n' 504 user_query = SELECT "user", quota_rule, 'dovecot2' as uid, 'dovecot2' as gid FROM imap_user WHERE "user" = '%n'
422 iterate_query = SELECT "user" FROM imap_user 505 iterate_query = SELECT "user" FROM imap_user
423 ''; 506 '';
@@ -449,7 +532,7 @@ in {
449 532
450 auth_ssl_username_from_cert = yes 533 auth_ssl_username_from_cert = yes
451 ssl_cert_username_field = commonName 534 ssl_cert_username_field = commonName
452 auth_mechanisms = external 535 auth_mechanisms = plain login external
453 536
454 auth_verbose = yes 537 auth_verbose = yes
455 verbose_ssl = yes 538 verbose_ssl = yes
@@ -505,6 +588,15 @@ in {
505 group = postfix 588 group = postfix
506 } 589 }
507 } 590 }
591 service auth {
592 vsz_limit = 2G
593
594 unix_listener /run/dovecot-sasl {
595 mode = 0600
596 user = postfix
597 group = postfix
598 }
599 }
508 600
509 namespace inbox { 601 namespace inbox {
510 separator = / 602 separator = /
@@ -869,9 +961,13 @@ in {
869 961
870 services.postfwd = { 962 services.postfwd = {
871 enable = true; 963 enable = true;
964 cache = false;
872 rules = '' 965 rules = ''
873 id=RCPT01; protocol_state=DATA; protocol_state=END-OF-MESSAGE; action=rcpt(ccert_subject/100/3600/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=100,HIT_RATELIMIT_INTERVAL=3600)) 966 id=RCPT_SASL01; protocol_state=DATA; protocol_state=END-OF-MESSAGE; sasl_username!=; action=rcpt(sasl_username/100/3600/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=100,HIT_RATELIMIT_INTERVAL=3600))
874 id=RCPT02; protocol_state=DATA; protocol_state=END-OF-MESSAGE; action=rcpt(ccert_subject/1000/86400/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=1000,HIT_RATELIMIT_INTERVAL=86400)) 967 id=RCPT_SASL02; protocol_state=DATA; protocol_state=END-OF-MESSAGE; sasl_username!=; action=rcpt(sasl_username/1000/86400/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=1000,HIT_RATELIMIT_INTERVAL=86400))
968
969 id=RCPT_CCERT01; protocol_state=DATA; protocol_state=END-OF-MESSAGE; ccert_subject!=; action=rcpt(ccert_subject/100/3600/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=100,HIT_RATELIMIT_INTERVAL=3600))
970 id=RCPT_CCERT02; protocol_state=DATA; protocol_state=END-OF-MESSAGE; ccert_subject!=; action=rcpt(ccert_subject/1000/86400/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=1000,HIT_RATELIMIT_INTERVAL=86400))
875 971
876 id=JUMP_REJECT_RL; HIT_RATELIMIT=="1"; action=jump(REJECT_RL) 972 id=JUMP_REJECT_RL; HIT_RATELIMIT=="1"; action=jump(REJECT_RL)
877 973
@@ -880,5 +976,25 @@ in {
880 id=REJECT_RL; action=450 4.7.1 Exceeding maximum of $$HIT_RATELIMIT_LIMIT recipients per $$HIT_RATELIMIT_INTERVAL seconds [$$HIT_RATECOUNT] 976 id=REJECT_RL; action=450 4.7.1 Exceeding maximum of $$HIT_RATELIMIT_LIMIT recipients per $$HIT_RATELIMIT_INTERVAL seconds [$$HIT_RATECOUNT]
881 ''; 977 '';
882 }; 978 };
979
980 services.email.nologin.MNTBys = ["MICROSOFT-MAINT"];
981 systemd.services.nftables.serviceConfig = {
982 ExecStart = lib.mkAfter [ nftables-nologin-script ];
983 ExecReload = lib.mkAfter [ nftables-nologin-script ];
984 };
985 systemd.services."nftables-mail-nologin" = {
986 serviceConfig = {
987 Type = "oneshot";
988 ExecStart = nftables-nologin-script;
989 };
990 };
991 systemd.timers."nftables-mail-nologin" = {
992 wantedBy = [ "nftables.service" ];
993
994 timerConfig = {
995 OnActiveSec = "20h";
996 RandomizedDelaySec = "8h";
997 };
998 };
883 }; 999 };
884} 1000}
diff --git a/hosts/surtr/postgresql/default.nix b/hosts/surtr/postgresql/default.nix
index f0e42ee8..583e4443 100644
--- a/hosts/surtr/postgresql/default.nix
+++ b/hosts/surtr/postgresql/default.nix
@@ -262,6 +262,20 @@ in {
262 262
263 GRANT DELETE ON "mailbox_mapping" TO "spm"; 263 GRANT DELETE ON "mailbox_mapping" TO "spm";
264 COMMIT; 264 COMMIT;
265
266 BEGIN;
267 SELECT _v.register_patch('011-password', ARRAY['000-base'], null);
268
269 ALTER TABLE mailbox ADD COLUMN password text CONSTRAINT password_non_empty CHECK (password IS DISTINCT FROM ''');
270 COMMIT;
271
272 BEGIN;
273 SELECT _v.register_patch('012-imap-password', ARRAY['000-base', '002-citext'], null);
274
275 DROP VIEW imap_user;
276 CREATE VIEW imap_user ("user", "password", quota_rule) AS SELECT mailbox.mailbox AS "user", "password", quota_rule FROM mailbox_quota_rule INNER JOIN mailbox ON mailbox_quota_rule.mailbox = mailbox.mailbox;
277
278 COMMIT;
265 ''} 279 ''}
266 280
267 psql etebase postgres -eXf ${pkgs.writeText "etebase.sql" '' 281 psql etebase postgres -eXf ${pkgs.writeText "etebase.sql" ''
diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft
index ee72614f..5c2bba7c 100644
--- a/hosts/surtr/ruleset.nft
+++ b/hosts/surtr/ruleset.nft
@@ -86,6 +86,7 @@ table inet filter {
86 86
87 counter established-rx {} 87 counter established-rx {}
88 88
89 counter reject-mail-nologin {}
89 counter reject-ratelimit-rx {} 90 counter reject-ratelimit-rx {}
90 counter reject-rx {} 91 counter reject-rx {}
91 counter reject-tcp-rx {} 92 counter reject-tcp-rx {}
@@ -114,6 +115,17 @@ table inet filter {
114 115
115 counter tx {} 116 counter tx {}
116 117
118 set mail_nologin4 {
119 type ipv4_addr
120 flags interval
121 auto-merge
122 }
123 set mail_nologin6 {
124 type ipv6_addr
125 flags interval
126 auto-merge
127 }
128
117 chain forward { 129 chain forward {
118 type filter hook forward priority filter 130 type filter hook forward priority filter
119 policy drop 131 policy drop
@@ -145,6 +157,14 @@ table inet filter {
145 counter name drop-fw 157 counter name drop-fw
146 } 158 }
147 159
160 chain reject_input {
161 limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop
162 log level debug prefix "reject input: " counter name reject-rx
163 meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset
164 ct state new counter name reject-icmp-rx reject
165
166 counter name drop-rx
167 }
148 chain input { 168 chain input {
149 type filter hook input priority filter 169 type filter hook input priority filter
150 policy drop 170 policy drop
@@ -177,8 +197,11 @@ table inet filter {
177 udp dport {3478, 5349} counter name stun-rx accept 197 udp dport {3478, 5349} counter name stun-rx accept
178 udp dport 49000-50000 counter name turn-rx accept 198 udp dport 49000-50000 counter name turn-rx accept
179 199
200 tcp dport {465,466,993,4190} ip saddr @mail_nologin4 log prefix "mail nologin: " counter name reject-mail-nologin jump reject_input
201 tcp dport {465,466,993,4190} ip6 saddr @mail_nologin6 log prefix "mail nologin: " counter name reject-mail-nologin jump reject_input
202
180 tcp dport 25 counter name smtp-rx accept 203 tcp dport 25 counter name smtp-rx accept
181 tcp dport 465 counter name submissions-rx accept 204 tcp dport {465, 466} counter name submissions-rx accept
182 tcp dport 993 counter name imaps-rx accept 205 tcp dport 993 counter name imaps-rx accept
183 tcp dport 4190 counter name managesieve-rx accept 206 tcp dport 4190 counter name managesieve-rx accept
184 iifname yggdrasil tcp dport 8432 counter name pgbackrest-rx accept 207 iifname yggdrasil tcp dport 8432 counter name pgbackrest-rx accept
@@ -186,13 +209,7 @@ table inet filter {
186 ct state {established, related} counter name established-rx accept 209 ct state {established, related} counter name established-rx accept
187 210
188 211
189 limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop 212 jump reject_input
190 log level debug prefix "reject input: " counter name reject-rx
191 meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset
192 ct state new counter name reject-icmp-rx reject
193
194
195 counter name drop-rx
196 } 213 }
197 214
198 chain output { 215 chain output {
@@ -224,7 +241,7 @@ table inet filter {
224 udp sport 49000-50000 counter name turn-tx accept 241 udp sport 49000-50000 counter name turn-tx accept
225 242
226 tcp sport 25 counter name smtp-tx accept 243 tcp sport 25 counter name smtp-tx accept
227 tcp sport 465 counter name submissions-tx accept 244 tcp sport {465, 466} counter name submissions-tx accept
228 tcp sport 993 counter name imaps-tx accept 245 tcp sport 993 counter name imaps-tx accept
229 tcp sport 4190 counter name managesieve-tx accept 246 tcp sport 4190 counter name managesieve-tx accept
230 tcp sport 8432 counter name pgbackrest-tx accept 247 tcp sport 8432 counter name pgbackrest-tx accept
@@ -232,4 +249,4 @@ table inet filter {
232 249
233 counter name tx 250 counter name tx
234 } 251 }
235} \ No newline at end of file 252}
diff --git a/hosts/surtr/vpn/default.nix b/hosts/surtr/vpn/default.nix
index 1d31a6f2..3f7483bd 100644
--- a/hosts/surtr/vpn/default.nix
+++ b/hosts/surtr/vpn/default.nix
@@ -66,6 +66,15 @@ in {
66 66
67 systemd.network = { 67 systemd.network = {
68 netdevs = { 68 netdevs = {
69 upstream = {
70 netdevConfig = {
71 Name = "upstream";
72 Kind = "ipvlan";
73 };
74 ipvlanConfig = {
75 Mode = "L2";
76 };
77 };
69 vpn = { 78 vpn = {
70 netdevConfig = { 79 netdevConfig = {
71 Name = "vpn"; 80 Name = "vpn";
diff --git a/hosts/surtr/zfs.nix b/hosts/surtr/zfs.nix
index 583ab8e1..17c5cd32 100644
--- a/hosts/surtr/zfs.nix
+++ b/hosts/surtr/zfs.nix
@@ -17,7 +17,7 @@
17 fsType = "zfs"; 17 fsType = "zfs";
18 neededForBoot = true; 18 neededForBoot = true;
19 }; 19 };
20 20
21 "/var/lib/nixos" = 21 "/var/lib/nixos" =
22 { device = "surtr/local/var-lib-nixos"; 22 { device = "surtr/local/var-lib-nixos";
23 fsType = "zfs"; 23 fsType = "zfs";
@@ -62,10 +62,13 @@
62 }; 62 };
63 63
64 services.zfssnap.enable = true; 64 services.zfssnap.enable = true;
65 services.zfs.trim.enable = false; 65 services.zfs.trim = {
66 enable = true;
67 interval = "Sun 16:00:00 Europe/Berlin";
68 };
66 services.zfs.autoScrub = { 69 services.zfs.autoScrub = {
67 enable = true; 70 enable = true;
68 interval = "Sun *-*-1..7 04:00:00"; 71 interval = "Sun *-*-1..7 04:00:00 Europe/Berlin";
69 }; 72 };
70 services.zfs.zed.settings = { 73 services.zfs.zed.settings = {
71 ZED_SYSLOG_SUBCLASS_EXCLUDE = "history_event"; 74 ZED_SYSLOG_SUBCLASS_EXCLUDE = "history_event";