diff options
Diffstat (limited to 'hosts')
| -rw-r--r-- | hosts/surtr/email/default.nix | 4 | ||||
| -rw-r--r-- | hosts/surtr/vpn/default.nix | 46 |
2 files changed, 21 insertions, 29 deletions
diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index 9c3e8849..bb0f6e20 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix | |||
| @@ -409,6 +409,10 @@ in { | |||
| 409 | modules = with pkgs; [ dovecot_pigeonhole dovecot_fts_xapian ]; | 409 | modules = with pkgs; [ dovecot_pigeonhole dovecot_fts_xapian ]; |
| 410 | mailPlugins.globally.enable = [ "fts" "fts_xapian" ]; | 410 | mailPlugins.globally.enable = [ "fts" "fts_xapian" ]; |
| 411 | protocols = [ "lmtp" "sieve" ]; | 411 | protocols = [ "lmtp" "sieve" ]; |
| 412 | sieve = { | ||
| 413 | extensions = ["copy" "imapsieve" "variables" "imap4flags" "vacation"]; | ||
| 414 | globalExtensions = ["copy" "imapsieve" "variables" "imap4flags" "vacation"]; | ||
| 415 | }; | ||
| 412 | extraConfig = let | 416 | extraConfig = let |
| 413 | dovecotSqlConf = pkgs.writeText "dovecot-sql.conf" '' | 417 | dovecotSqlConf = pkgs.writeText "dovecot-sql.conf" '' |
| 414 | driver = pgsql | 418 | driver = pgsql |
diff --git a/hosts/surtr/vpn/default.nix b/hosts/surtr/vpn/default.nix index 61a9d544..1d31a6f2 100644 --- a/hosts/surtr/vpn/default.nix +++ b/hosts/surtr/vpn/default.nix | |||
| @@ -12,12 +12,25 @@ in { | |||
| 12 | "net.netfilter.nf_log_all_netns" = true; | 12 | "net.netfilter.nf_log_all_netns" = true; |
| 13 | }; | 13 | }; |
| 14 | 14 | ||
| 15 | networking.namespaces = { | 15 | containers."vpn" = { |
| 16 | enable = true; | 16 | autoStart = true; |
| 17 | containers."vpn".config = { | 17 | ephemeral = true; |
| 18 | additionalCapabilities = [ | ||
| 19 | "CAP_SYS_TTY_CONFIG" "CAP_NET_ADMIN" "CAP_NET_RAW" "CAP_SYS_ADMIN" | ||
| 20 | ]; | ||
| 21 | extraFlags = [ | ||
| 22 | "--load-credential=surtr.priv:/run/credentials/container@vpn.service/surtr.priv" | ||
| 23 | "--network-ipvlan=ens3:upstream" | ||
| 24 | ]; | ||
| 25 | config = { | ||
| 18 | boot.kernel.sysctl = { | 26 | boot.kernel.sysctl = { |
| 19 | "net.core.rmem_max" = 4194304; | 27 | "net.core.rmem_max" = 4194304; |
| 20 | "net.core.wmem_max" = 4194304; | 28 | "net.core.wmem_max" = 4194304; |
| 29 | |||
| 30 | "net.ipv6.conf.all.forwarding" = 1; | ||
| 31 | "net.ipv6.conf.default.forwarding" = 1; | ||
| 32 | "net.ipv4.conf.all.forwarding" = 1; | ||
| 33 | "net.ipv4.conf.default.forwarding" = 1; | ||
| 21 | }; | 34 | }; |
| 22 | 35 | ||
| 23 | environment = { | 36 | environment = { |
| @@ -125,32 +138,7 @@ in { | |||
| 125 | }; | 138 | }; |
| 126 | 139 | ||
| 127 | systemd.services = { | 140 | systemd.services = { |
| 128 | "vpn-upstream" = { | 141 | "container@vpn" = { |
| 129 | bindsTo = ["netns@vpn.service"]; | ||
| 130 | after = ["netns@vpn.service"]; | ||
| 131 | serviceConfig = { | ||
| 132 | Type = "oneshot"; | ||
| 133 | RemainAfterExit = true; | ||
| 134 | ExecStop = "${pkgs.iproute2}/bin/ip netns exec vpn ip link delete upstream"; | ||
| 135 | }; | ||
| 136 | path = with pkgs; [ iproute2 procps ]; | ||
| 137 | script = '' | ||
| 138 | ip netns exec vpn sysctl \ | ||
| 139 | net.ipv6.conf.all.forwarding=1 \ | ||
| 140 | net.ipv6.conf.default.forwarding=1 \ | ||
| 141 | net.ipv4.conf.all.forwarding=1 \ | ||
| 142 | net.ipv4.conf.default.forwarding=1 | ||
| 143 | |||
| 144 | ip link add link ens3 name upstream type ipvlan mode l2 | ||
| 145 | ip link set upstream netns vpn | ||
| 146 | ''; | ||
| 147 | }; | ||
| 148 | |||
| 149 | "netns-container@vpn" = { | ||
| 150 | wantedBy = ["multi-user.target" "network-online.target"]; | ||
| 151 | after = ["vpn-upstream.service"]; | ||
| 152 | bindsTo = ["vpn-upstream.service"]; | ||
| 153 | |||
| 154 | serviceConfig = { | 142 | serviceConfig = { |
| 155 | LoadCredential = [ | 143 | LoadCredential = [ |
| 156 | "surtr.priv:${config.sops.secrets.vpn.path}" | 144 | "surtr.priv:${config.sops.secrets.vpn.path}" |