From 14c880aa5187ad5a0d0cd2e43fec8248f10b3b7e Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Thu, 8 Aug 2024 11:36:56 +0200
Subject: ...

---
 hosts/surtr/email/default.nix |  4 ++++
 hosts/surtr/vpn/default.nix   | 46 ++++++++++++++++---------------------------
 2 files changed, 21 insertions(+), 29 deletions(-)

(limited to 'hosts')

diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix
index 9c3e8849..bb0f6e20 100644
--- a/hosts/surtr/email/default.nix
+++ b/hosts/surtr/email/default.nix
@@ -409,6 +409,10 @@ in {
       modules = with pkgs; [ dovecot_pigeonhole dovecot_fts_xapian ];
       mailPlugins.globally.enable = [ "fts" "fts_xapian" ];
       protocols = [ "lmtp" "sieve" ];
+      sieve = {
+        extensions = ["copy" "imapsieve" "variables" "imap4flags" "vacation"];
+        globalExtensions = ["copy" "imapsieve" "variables" "imap4flags" "vacation"];
+      };
       extraConfig = let
         dovecotSqlConf = pkgs.writeText "dovecot-sql.conf" ''
           driver = pgsql
diff --git a/hosts/surtr/vpn/default.nix b/hosts/surtr/vpn/default.nix
index 61a9d544..1d31a6f2 100644
--- a/hosts/surtr/vpn/default.nix
+++ b/hosts/surtr/vpn/default.nix
@@ -12,12 +12,25 @@ in {
       "net.netfilter.nf_log_all_netns" = true;
     };
 
-    networking.namespaces = {
-      enable = true;
-      containers."vpn".config = {
+    containers."vpn" = {
+      autoStart = true;
+      ephemeral = true;
+      additionalCapabilities = [
+        "CAP_SYS_TTY_CONFIG" "CAP_NET_ADMIN" "CAP_NET_RAW" "CAP_SYS_ADMIN"
+      ];
+      extraFlags = [
+        "--load-credential=surtr.priv:/run/credentials/container@vpn.service/surtr.priv"
+        "--network-ipvlan=ens3:upstream"
+      ];
+      config = {
         boot.kernel.sysctl = {
           "net.core.rmem_max" = 4194304;
           "net.core.wmem_max" = 4194304;
+
+          "net.ipv6.conf.all.forwarding" = 1;
+          "net.ipv6.conf.default.forwarding" = 1;
+          "net.ipv4.conf.all.forwarding" = 1;
+          "net.ipv4.conf.default.forwarding" = 1;
         };
 
         environment = {
@@ -125,32 +138,7 @@ in {
     };
 
     systemd.services = {
-      "vpn-upstream" = {
-        bindsTo = ["netns@vpn.service"];
-        after = ["netns@vpn.service"];
-        serviceConfig = {
-          Type = "oneshot";
-          RemainAfterExit = true;
-          ExecStop = "${pkgs.iproute2}/bin/ip netns exec vpn ip link delete upstream";
-        };
-        path = with pkgs; [ iproute2 procps ];
-        script = ''
-          ip netns exec vpn sysctl \
-            net.ipv6.conf.all.forwarding=1 \
-            net.ipv6.conf.default.forwarding=1 \
-            net.ipv4.conf.all.forwarding=1 \
-            net.ipv4.conf.default.forwarding=1
-
-          ip link add link ens3 name upstream type ipvlan mode l2
-          ip link set upstream netns vpn
-        '';
-      };
-
-      "netns-container@vpn" = {
-        wantedBy = ["multi-user.target" "network-online.target"];
-        after = ["vpn-upstream.service"];
-        bindsTo = ["vpn-upstream.service"];
-
+      "container@vpn" = {
         serviceConfig = {
           LoadCredential = [
             "surtr.priv:${config.sops.secrets.vpn.path}"
-- 
cgit v1.2.3