From 329de92b6e00f1af9925f56a4fc6da14087802e5 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sat, 25 May 2024 20:37:25 +0200 Subject: tkleen --- .../ccert_policy_server/__main__.py | 35 +++++++------ hosts/surtr/email/default.nix | 57 ++++++++++++++++++---- hosts/surtr/postgresql/default.nix | 14 ++++++ hosts/surtr/ruleset.nft | 6 +-- 4 files changed, 85 insertions(+), 27 deletions(-) (limited to 'hosts/surtr') diff --git a/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py b/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py index f481090c..00182523 100644 --- a/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py +++ b/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py @@ -27,20 +27,27 @@ class PolicyHandler(StreamRequestHandler): logger.info('Connection parameters: %s', self.args) allowed = False - with self.server.db_pool.connection() as conn: - local, domain = self.args['sender'].split(sep='@', maxsplit=1) - extension = None - if '+' in local: - local, extension = local.split(sep='+', maxsplit=1) - - logger.debug('Parsed address: %s', {'local': local, 'extension': extension, 'domain': domain}) - - with conn.cursor() as cur: - cur.row_factory = namedtuple_row - cur.execute('SELECT "mailbox"."mailbox" as "user", "local", "extension", "domain" FROM "mailbox" INNER JOIN "mailbox_mapping" ON "mailbox".id = "mailbox_mapping"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("local" = %(local)s OR "local" IS NULL) AND ("extension" = %(extension)s OR "extension" IS NULL) AND "domain" = %(domain)s', params = {'user': self.args['ccert_subject'], 'local': local, 'extension': extension if extension is not None else '', 'domain': domain}, prepare=True) - for record in cur: - logger.debug('Received result: %s', record) - allowed = True + user = None + if self.args['sasl_username']: + user = self.args['sasl_username'] + if self.args['ccert_subject']: + user = self.args['ccert_subject'] + + if user: + with self.server.db_pool.connection() as conn: + local, domain = self.args['sender'].split(sep='@', maxsplit=1) + extension = None + if '+' in local: + local, extension = local.split(sep='+', maxsplit=1) + + logger.debug('Parsed address: %s', {'local': local, 'extension': extension, 'domain': domain}) + + with conn.cursor() as cur: + cur.row_factory = namedtuple_row + cur.execute('SELECT "mailbox"."mailbox" as "user", "local", "extension", "domain" FROM "mailbox" INNER JOIN "mailbox_mapping" ON "mailbox".id = "mailbox_mapping"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("local" = %(local)s OR "local" IS NULL) AND ("extension" = %(extension)s OR "extension" IS NULL) AND "domain" = %(domain)s', params = {'user': user, 'local': local, 'extension': extension if extension is not None else '', 'domain': domain}, prepare=True) + for record in cur: + logger.debug('Received result: %s', record) + allowed = True action = '550 5.7.0 Sender address not authorized for current user' if allowed: diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index 9c3e8849..66c39e8f 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix @@ -204,17 +204,15 @@ in { postscreen_greet_action = "enforce"; }; masterConfig = { - smtps = { + "465" = { type = "inet"; private = false; - command = "smtpd"; + command = "smtpd -v"; args = [ "-o" "smtpd_tls_security_level=encrypt" "-o" "{smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2}" "-o" "{smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2}" "-o" "smtpd_tls_mandatory_ciphers=high" - "-o" "smtpd_tls_dh1024_param_file=${toString config.security.dhparams.params."postfix-smtps-1024".path}" - "-o" "smtpd_tls_dh512_param_file=${toString config.security.dhparams.params."postfix-smtps-512".path}" "-o" "{tls_eecdh_auto_curves = X25519 X448}" "-o" "smtpd_tls_wrappermode=yes" @@ -223,16 +221,46 @@ in { "-o" "smtpd_tls_received_header=no" "-o" "cleanup_service_name=subcleanup" "-o" "smtpd_client_restrictions=permit_tls_all_clientcerts,reject" - "-o" "{smtpd_data_restrictions = check_policy_service unix:/run/postfwd3/postfwd3.sock}" - "-o" "smtpd_relay_restrictions=permit_tls_all_clientcerts,reject" "-o" "{smtpd_sender_restrictions = reject_unknown_sender_domain,reject_unverified_sender,check_policy_service unix:/run/postfix-ccert-sender-policy.sock}" + "-o" ''{smtpd_recipient_restrictions=reject_unauth_pipelining,reject_non_fqdn_recipient,reject_unknown_recipient_domain,check_recipient_access pgsql:${pkgs.writeText "check_recipient_access.cf" '' + hosts = postgresql:///email + dbname = email + query = SELECT action FROM virtual_mailbox_access WHERE lookup = '%s' OR (lookup = regexp_replace('%s', '\+[^@]*@', '@') AND NOT EXISTS (SELECT 1 FROM virtual_mailbox_access WHERE lookup = '%s')) + ''},permit_tls_all_clientcerts,reject}'' + "-o" "smtpd_relay_restrictions=permit_tls_all_clientcerts,reject" + "-o" "{smtpd_data_restrictions = check_policy_service unix:/run/postfwd3/postfwd3.sock}" "-o" "unverified_sender_reject_code=550" "-o" "unverified_sender_reject_reason={Sender address rejected: undeliverable address}" + "-o" "milter_macro_daemon_name=surtr.yggdrasil.li" + "-o" ''smtpd_milters=${config.services.opendkim.socket}'' + ]; + }; + "466" = { + type = "inet"; + private = false; + command = "smtpd -v"; + args = [ + "-o" "smtpd_tls_security_level=encrypt" + + "-o" "smtpd_tls_wrappermode=yes" + "-o" "smtpd_tls_ask_ccert=no" + "-o" "smtpd_tls_req_ccert=no" + "-o" "smtpd_sasl_type=dovecot" + "-o" "smtpd_sasl_path=/run/dovecot-sasl" + "-o" "smtpd_sasl_auth_enable=yes" + "-o" "smtpd_tls_received_header=no" + "-o" "cleanup_service_name=subcleanup" + "-o" "smtpd_client_restrictions=permit_sasl_authenticated,reject" + "-o" "{smtpd_sender_restrictions = reject_unknown_sender_domain,reject_unverified_sender,check_policy_service unix:/run/postfix-ccert-sender-policy.sock}" "-o" ''{smtpd_recipient_restrictions=reject_unauth_pipelining,reject_non_fqdn_recipient,reject_unknown_recipient_domain,check_recipient_access pgsql:${pkgs.writeText "check_recipient_access.cf" '' hosts = postgresql:///email dbname = email query = SELECT action FROM virtual_mailbox_access WHERE lookup = '%s' OR (lookup = regexp_replace('%s', '\+[^@]*@', '@') AND NOT EXISTS (SELECT 1 FROM virtual_mailbox_access WHERE lookup = '%s')) - ''},permit_tls_all_clientcerts,reject}'' + ''},permit_sasl_authenticated,reject}'' + "-o" "smtpd_relay_restrictions=permit_sasl_authenticated,reject" + "-o" "{smtpd_data_restrictions = check_policy_service unix:/run/postfwd3/postfwd3.sock}" + "-o" "unverified_sender_reject_code=550" + "-o" "unverified_sender_reject_reason={Sender address rejected: undeliverable address}" "-o" "milter_macro_daemon_name=surtr.yggdrasil.li" "-o" ''smtpd_milters=${config.services.opendkim.socket}'' ]; @@ -256,7 +284,7 @@ in { smtp_pass = { name = "smtpd"; type = "pass"; - command = "smtpd"; + command = "smtpd -v"; }; postscreen = { name = "smtp"; @@ -413,7 +441,7 @@ in { dovecotSqlConf = pkgs.writeText "dovecot-sql.conf" '' driver = pgsql connect = dbname=email - password_query = SELECT NULL as password, 'Y' as nopassword, "user", quota_rule, 'dovecot2' as uid, 'dovecot2' as gid FROM imap_user WHERE "user" = '%n' + password_query = SELECT (CASE WHEN '%k' = 'valid' AND '%m' = 'EXTERNAL' THEN NULL ELSE "password" END) as password, (CASE WHEN '%k' = 'valid' AND '%m' = 'EXTERNAL' THEN true WHEN password IS NULL THEN true ELSE NULL END) as nopassword, "user", quota_rule, 'dovecot2' as uid, 'dovecot2' as gid FROM imap_user WHERE "user" = '%n' user_query = SELECT "user", quota_rule, 'dovecot2' as uid, 'dovecot2' as gid FROM imap_user WHERE "user" = '%n' iterate_query = SELECT "user" FROM imap_user ''; @@ -445,7 +473,7 @@ in { auth_ssl_username_from_cert = yes ssl_cert_username_field = commonName - auth_mechanisms = external + auth_mechanisms = plain login external auth_verbose = yes verbose_ssl = yes @@ -501,6 +529,15 @@ in { group = postfix } } + service auth { + vsz_limit = 2G + + unix_listener /run/dovecot-sasl { + mode = 0600 + user = postfix + group = postfix + } + } namespace inbox { separator = / diff --git a/hosts/surtr/postgresql/default.nix b/hosts/surtr/postgresql/default.nix index f0e42ee8..583e4443 100644 --- a/hosts/surtr/postgresql/default.nix +++ b/hosts/surtr/postgresql/default.nix @@ -262,6 +262,20 @@ in { GRANT DELETE ON "mailbox_mapping" TO "spm"; COMMIT; + + BEGIN; + SELECT _v.register_patch('011-password', ARRAY['000-base'], null); + + ALTER TABLE mailbox ADD COLUMN password text CONSTRAINT password_non_empty CHECK (password IS DISTINCT FROM '''); + COMMIT; + + BEGIN; + SELECT _v.register_patch('012-imap-password', ARRAY['000-base', '002-citext'], null); + + DROP VIEW imap_user; + CREATE VIEW imap_user ("user", "password", quota_rule) AS SELECT mailbox.mailbox AS "user", "password", quota_rule FROM mailbox_quota_rule INNER JOIN mailbox ON mailbox_quota_rule.mailbox = mailbox.mailbox; + + COMMIT; ''} psql etebase postgres -eXf ${pkgs.writeText "etebase.sql" '' diff --git a/hosts/surtr/ruleset.nft b/hosts/surtr/ruleset.nft index ee72614f..14fc9b79 100644 --- a/hosts/surtr/ruleset.nft +++ b/hosts/surtr/ruleset.nft @@ -178,7 +178,7 @@ table inet filter { udp dport 49000-50000 counter name turn-rx accept tcp dport 25 counter name smtp-rx accept - tcp dport 465 counter name submissions-rx accept + tcp dport {465, 466} counter name submissions-rx accept tcp dport 993 counter name imaps-rx accept tcp dport 4190 counter name managesieve-rx accept iifname yggdrasil tcp dport 8432 counter name pgbackrest-rx accept @@ -224,7 +224,7 @@ table inet filter { udp sport 49000-50000 counter name turn-tx accept tcp sport 25 counter name smtp-tx accept - tcp sport 465 counter name submissions-tx accept + tcp sport {465, 466} counter name submissions-tx accept tcp sport 993 counter name imaps-tx accept tcp sport 4190 counter name managesieve-tx accept tcp sport 8432 counter name pgbackrest-tx accept @@ -232,4 +232,4 @@ table inet filter { counter name tx } -} \ No newline at end of file +} -- cgit v1.2.3 From de2521348c54e73c5260a15bd2d7eb214df24c60 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 26 May 2024 12:08:43 +0200 Subject: ... --- hosts/surtr/email/default.nix | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'hosts/surtr') diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index 66c39e8f..4d75dfae 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix @@ -902,9 +902,13 @@ in { services.postfwd = { enable = true; + cache = false; rules = '' - id=RCPT01; protocol_state=DATA; protocol_state=END-OF-MESSAGE; action=rcpt(ccert_subject/100/3600/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=100,HIT_RATELIMIT_INTERVAL=3600)) - id=RCPT02; protocol_state=DATA; protocol_state=END-OF-MESSAGE; action=rcpt(ccert_subject/1000/86400/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=1000,HIT_RATELIMIT_INTERVAL=86400)) + id=RCPT_SASL01; protocol_state=DATA; protocol_state=END-OF-MESSAGE; sasl_username!=; action=rcpt(sasl_username/100/3600/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=100,HIT_RATELIMIT_INTERVAL=3600)) + id=RCPT_SASL02; protocol_state=DATA; protocol_state=END-OF-MESSAGE; sasl_username!=; action=rcpt(sasl_username/1000/86400/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=1000,HIT_RATELIMIT_INTERVAL=86400)) + + id=RCPT_CCERT01; protocol_state=DATA; protocol_state=END-OF-MESSAGE; ccert_subject!=; action=rcpt(ccert_subject/100/3600/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=100,HIT_RATELIMIT_INTERVAL=3600)) + id=RCPT_CCERT02; protocol_state=DATA; protocol_state=END-OF-MESSAGE; ccert_subject!=; action=rcpt(ccert_subject/1000/86400/set(HIT_RATELIMIT=1,HIT_RATECOUNT=$$ratecount,HIT_RATELIMIT_LIMIT=1000,HIT_RATELIMIT_INTERVAL=86400)) id=JUMP_REJECT_RL; HIT_RATELIMIT=="1"; action=jump(REJECT_RL) -- cgit v1.2.3 From 94e07ef75250bf3567790d5b16cb76abf42f8746 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 2 Jun 2024 12:06:40 +0200 Subject: ... --- hosts/surtr/email/default.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'hosts/surtr') diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index 4d75dfae..a9491007 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix @@ -167,6 +167,7 @@ in { maximal_backoff_time = "10m"; maximal_queue_lifetime = "100m"; bounce_queue_lifetime = "20m"; + delay_warning_time = "10m"; smtpd_discard_ehlo_keyword_address_maps = "cidr:${pkgs.writeText "esmtp_access" '' # Allow DSN requests from local subnet only -- cgit v1.2.3 From d521ae2d5d765f1047f437ecc7af140178b4c0e1 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 2 Jun 2024 12:29:17 +0200 Subject: ... --- hosts/surtr/email/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'hosts/surtr') diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index a9491007..057e29f3 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix @@ -267,7 +267,7 @@ in { ]; }; subcleanup = { - command = "cleanup"; + command = "cleanup -v"; private = false; maxproc = 0; args = [ @@ -291,7 +291,7 @@ in { name = "smtp"; type = "inet"; private = false; - command = "postscreen"; + command = "postscreen -v"; maxproc = 1; }; smtp = {}; -- cgit v1.2.3 From c2a1e00b26b7e65305a36aa817a311ecbd2d831c Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Tue, 11 Jun 2024 10:05:16 +0200 Subject: email nologin by as-set --- hosts/surtr/email/default.nix | 58 +++++++++++++++++++++++++++++++++++++++++++ hosts/surtr/ruleset.nft | 31 +++++++++++++++++------ 2 files changed, 82 insertions(+), 7 deletions(-) (limited to 'hosts/surtr') diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index 057e29f3..23ac8aa1 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix @@ -32,9 +32,47 @@ let }); }; + nftables-nologin-script = pkgs.writeScript "nftables-mail-nologin" '' + #!${pkgs.zsh}/bin/zsh + + set -e + export PATH="${lib.makeBinPath (with pkgs; [inetutils nftables])}:$PATH" + + typeset -a as_sets route route6 + as_sets=(${lib.escapeShellArgs config.services.email.nologinASSets}) + + for as_set in $as_sets; do + while IFS=$'\n' read line; do + if [[ "''${line}" =~ "^route:\s+(.+)$" ]]; then + route+=($match[1]) + elif [[ "''${line}" =~ "^route6:\s+(.+)$" ]]; then + route6+=($match[1]) + fi + done < <(whois -h whois.radb.net "!i''${as_set},1" | egrep -o 'AS[0-9]+' | xargs -- whois -h whois.radb.net -- -i origin) + done + + printf -v elements4 '%s,' "''${route[@]}" + elements4=''${elements4%,} + printf -v elements6 '%s,' "''${route6[@]}" + elements6=''${elements6%,} + nft -f - < Date: Tue, 11 Jun 2024 10:49:39 +0200 Subject: ... --- hosts/surtr/email/default.nix | 28 ++++++++++++++++++++++------ 1 file changed, 22 insertions(+), 6 deletions(-) (limited to 'hosts/surtr') diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index 23ac8aa1..bd72b10e 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix @@ -38,8 +38,9 @@ let set -e export PATH="${lib.makeBinPath (with pkgs; [inetutils nftables])}:$PATH" - typeset -a as_sets route route6 - as_sets=(${lib.escapeShellArgs config.services.email.nologinASSets}) + typeset -a as_sets mnt_bys route route6 + as_sets=(${lib.escapeShellArgs config.services.email.nologin.ASSets}) + mnt_bys=(${lib.escapeShellArgs config.services.email.nologin.MNTBys}) for as_set in $as_sets; do while IFS=$'\n' read line; do @@ -50,6 +51,15 @@ let fi done < <(whois -h whois.radb.net "!i''${as_set},1" | egrep -o 'AS[0-9]+' | xargs -- whois -h whois.radb.net -- -i origin) done + for mnt_by in $mnt_bys; do + while IFS=$'\n' read line; do + if [[ "''${line}" =~ "^route:\s+(.+)$" ]]; then + route+=($match[1]) + elif [[ "''${line}" =~ "^route6:\s+(.+)$" ]]; then + route6+=($match[1]) + fi + done < <(whois -h whois.radb.net "!o''${mnt_by}") + done printf -v elements4 '%s,' "''${route[@]}" elements4=''${elements4%,} @@ -67,9 +77,15 @@ let emailDomains = spmDomains ++ ["kleen.consulting"]; in { options = { - services.email.nologinASSets = mkOption { - type = types.listOf types.str; - default = []; + services.email.nologin = { + ASSets = mkOption { + type = types.listOf types.str; + default = []; + }; + MNTBys = mkOption { + type = types.listOf types.str; + default = []; + }; }; }; @@ -957,7 +973,7 @@ in { ''; }; - services.email.nologinASSets = ["AS-MICROSOFT"]; + services.email.nologin.MNTBys = ["MICROSOFT-MAINT"]; systemd.services.nftables.serviceConfig = { ExecStart = lib.mkAfter [ nftables-nologin-script ]; ExecReload = lib.mkAfter [ nftables-nologin-script ]; -- cgit v1.2.3 From 7850385f9b285d31d79d26d82ab8a858839d29ea Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Tue, 11 Jun 2024 11:37:04 +0200 Subject: ... --- hosts/surtr/zfs.nix | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'hosts/surtr') diff --git a/hosts/surtr/zfs.nix b/hosts/surtr/zfs.nix index 583ab8e1..17c5cd32 100644 --- a/hosts/surtr/zfs.nix +++ b/hosts/surtr/zfs.nix @@ -17,7 +17,7 @@ fsType = "zfs"; neededForBoot = true; }; - + "/var/lib/nixos" = { device = "surtr/local/var-lib-nixos"; fsType = "zfs"; @@ -62,10 +62,13 @@ }; services.zfssnap.enable = true; - services.zfs.trim.enable = false; + services.zfs.trim = { + enable = true; + interval = "Sun 16:00:00 Europe/Berlin"; + }; services.zfs.autoScrub = { enable = true; - interval = "Sun *-*-1..7 04:00:00"; + interval = "Sun *-*-1..7 04:00:00 Europe/Berlin"; }; services.zfs.zed.settings = { ZED_SYSLOG_SUBCLASS_EXCLUDE = "history_event"; -- cgit v1.2.3 From e4e7651887bca1179348c4303a319f2f3e339942 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sat, 22 Jun 2024 21:09:58 +0200 Subject: surtr: fix vpn --- hosts/surtr/vpn/default.nix | 59 ++++++++++++++++----------------------------- 1 file changed, 21 insertions(+), 38 deletions(-) (limited to 'hosts/surtr') diff --git a/hosts/surtr/vpn/default.nix b/hosts/surtr/vpn/default.nix index 74a9fb22..636dab1a 100644 --- a/hosts/surtr/vpn/default.nix +++ b/hosts/surtr/vpn/default.nix @@ -12,12 +12,21 @@ in { "net.netfilter.nf_log_all_netns" = true; }; - networking.namespaces = { - enable = true; - containers."vpn".config = { + containers."vpn" = { + autoStart = true; + ephemeral = true; + extraFlags = [ + "--network-ipvlan=ens3:upstream" + "--load-credential=surtr.priv:${config.sops.secrets.vpn.path}" + ]; + + config = { boot.kernel.sysctl = { "net.core.rmem_max" = 4194304; "net.core.wmem_max" = 4194304; + "net.ipv6.conf.all.forwarding" = 1; + "net.ipv6.conf.default.forwarding"= 1; + "net.ipv4.conf.all.forwarding" = 1; }; environment = { @@ -53,6 +62,15 @@ in { systemd.network = { netdevs = { + upstream = { + netdevConfig = { + Name = "upstream"; + Kind = "ipvlan"; + }; + ipvlanConfig = { + Mode = "L2"; + }; + }; vpn = { netdevConfig = { Name = "vpn"; @@ -136,41 +154,6 @@ in { }; }; - systemd.services = { - "vpn-upstream" = { - bindsTo = ["netns@vpn.service"]; - after = ["netns@vpn.service"]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - ExecStop = "${pkgs.iproute2}/bin/ip netns exec vpn ip link delete upstream"; - }; - path = with pkgs; [ iproute2 procps ]; - script = '' - ip netns exec vpn sysctl \ - net.ipv6.conf.all.forwarding=1 \ - net.ipv6.conf.default.forwarding=1 \ - net.ipv4.conf.all.forwarding=1 \ - net.ipv4.conf.default.forwarding=1 - - ip link add link ens3 name upstream type ipvlan mode l2 - ip link set upstream netns vpn - ''; - }; - - "netns-container@vpn" = { - wantedBy = ["multi-user.target" "network-online.target"]; - after = ["vpn-upstream.service"]; - bindsTo = ["vpn-upstream.service"]; - - serviceConfig = { - LoadCredential = [ - "surtr.priv:${config.sops.secrets.vpn.path}" - ]; - }; - }; - }; - sops.secrets.vpn = { format = "binary"; sopsFile = ./surtr.priv; -- cgit v1.2.3 From c6af884353a633989ee4561a4fc9f641aef7506f Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Tue, 9 Jul 2024 14:31:06 +0200 Subject: ... --- hosts/surtr/dns/zones/email.bouncy.soa | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'hosts/surtr') diff --git a/hosts/surtr/dns/zones/email.bouncy.soa b/hosts/surtr/dns/zones/email.bouncy.soa index 40e4b78b..2b319a93 100644 --- a/hosts/surtr/dns/zones/email.bouncy.soa +++ b/hosts/surtr/dns/zones/email.bouncy.soa @@ -1,7 +1,7 @@ $ORIGIN bouncy.email. $TTL 3600 @ IN SOA ns.yggdrasil.li. hostmaster.yggdrasil.li ( - 2023020101 ; serial + 2024070901 ; serial 10800 ; refresh 3600 ; retry 604800 ; expire @@ -41,10 +41,10 @@ mailin IN MX 0 mailin.bouncy.email. mailin IN TXT "v=spf1 redirect=bouncy.email" _acme-challenge.mailin IN NS ns.yggdrasil.li. -_25._tcp.mailin IN TLSA 2 1 1 276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10 -_25._tcp.mailin IN TLSA 2 1 1 bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270 -_25._tcp.mailin IN TLSA 2 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d -_25._tcp.mailin IN TLSA 2 1 1 e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03 +; _25._tcp.mailin IN TLSA 2 1 1 276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10 +; _25._tcp.mailin IN TLSA 2 1 1 bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270 +; _25._tcp.mailin IN TLSA 2 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d +; _25._tcp.mailin IN TLSA 2 1 1 e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03 mailsub IN A 202.61.241.61 mailsub IN AAAA 2a03:4000:52:ada:: -- cgit v1.2.3