From c2a1e00b26b7e65305a36aa817a311ecbd2d831c Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Tue, 11 Jun 2024 10:05:16 +0200 Subject: email nologin by as-set --- hosts/surtr/email/default.nix | 58 +++++++++++++++++++++++++++++++++++++++++++ hosts/surtr/ruleset.nft | 31 +++++++++++++++++------ 2 files changed, 82 insertions(+), 7 deletions(-) (limited to 'hosts') diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index 057e29f3..23ac8aa1 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix @@ -32,9 +32,47 @@ let }); }; + nftables-nologin-script = pkgs.writeScript "nftables-mail-nologin" '' + #!${pkgs.zsh}/bin/zsh + + set -e + export PATH="${lib.makeBinPath (with pkgs; [inetutils nftables])}:$PATH" + + typeset -a as_sets route route6 + as_sets=(${lib.escapeShellArgs config.services.email.nologinASSets}) + + for as_set in $as_sets; do + while IFS=$'\n' read line; do + if [[ "''${line}" =~ "^route:\s+(.+)$" ]]; then + route+=($match[1]) + elif [[ "''${line}" =~ "^route6:\s+(.+)$" ]]; then + route6+=($match[1]) + fi + done < <(whois -h whois.radb.net "!i''${as_set},1" | egrep -o 'AS[0-9]+' | xargs -- whois -h whois.radb.net -- -i origin) + done + + printf -v elements4 '%s,' "''${route[@]}" + elements4=''${elements4%,} + printf -v elements6 '%s,' "''${route6[@]}" + elements6=''${elements6%,} + nft -f - <