Jimbo/NixOS-Config
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Properly force the VPN SMTP thing

Browse source
This commit is contained in:
Jimbo 2024-09-18 13:49:57 -04:00
parent 17e384265c
commit 7ae06caef8
2 changed files with 5 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
nixos/server/firewall.nix
View file

@ -5,6 +5,7 @@
# Configure firewall # Configure firewall
networking = let networking = let
ips = import ../modules/ips.nix; ips = import ../modules/ips.nix;
mailPorts = "{ 25, 143, 465, 587, 993, 4190 }";
in { in {
firewall = { firewall = {
allowPing = false; allowPing = false;
@ -13,6 +14,7 @@
extraInputRules = '' extraInputRules = ''
ip saddr ${ips.localSpan}.0/24 tcp dport 2049 accept comment "Accept NFS" ip saddr ${ips.localSpan}.0/24 tcp dport 2049 accept comment "Accept NFS"
ip saddr { ${ips.pc}, ${outputs.secrets.lunaIP}, ${outputs.secrets.cornIP}, ${outputs.secrets.vertIP} } tcp dport { 1935, 1945 } accept comment "Accept RTMP" ip saddr { ${ips.pc}, ${outputs.secrets.lunaIP}, ${outputs.secrets.cornIP}, ${outputs.secrets.vertIP} } tcp dport { 1935, 1945 } accept comment "Accept RTMP"
ip saddr ${ips.wgSpan}.3 tcp dport ${mailPorts} accept comment "Accept mail"
''; '';
}; };
@ -45,6 +47,7 @@
type nat hook postrouting priority 100; policy accept; type nat hook postrouting priority 100; policy accept;
oifname "${ips.netInt}" masquerade oifname "${ips.netInt}" masquerade
iifname "${ips.netInt}" oifname "${ips.wgInt}" masquerade comment "Traffic from public to WireGuard" iifname "${ips.netInt}" oifname "${ips.wgInt}" masquerade comment "Traffic from public to WireGuard"
tcp dport ${mailPorts} oifname != "${ips.wgInt}" drop comment "Send mail"
} }
''; '';
}; };

6
nixos/server/mailserver.nix
View file

@ -2,7 +2,7 @@
# Mail server # Mail server
mailserver = rec { mailserver = rec {
enable = true; enable = true;
enableManageSieve = true; openFirewall = false;
domains = [ "${outputs.secrets.jimDomain}" ]; domains = [ "${outputs.secrets.jimDomain}" ];
fqdn = "mx.${outputs.secrets.jimDomain}"; fqdn = "mx.${outputs.secrets.jimDomain}";
certificateScheme = "acme-nginx"; certificateScheme = "acme-nginx";
@ -25,15 +25,13 @@
}; };
"jimbo@${outputs.secrets.jimDomain}" = { "jimbo@${outputs.secrets.jimDomain}" = {
hashedPasswordFile = pkgs.writeText "jimbo" outputs.secrets.jimboMailHash; hashedPasswordFile = pkgs.writeText "jimbo" outputs.secrets.jimboMailHash;
aliases = [ "canada@${outputs.secrets.jimDomain}" "contact@${outputs.secrets.jimDomain}" ]; aliases = [ "james@${outputs.secrets.jimDomain}" "contact@${outputs.secrets.jimDomain}" ];
}; };
"lunamoonlight@${outputs.secrets.jimDomain}" = { "lunamoonlight@${outputs.secrets.jimDomain}" = {
hashedPasswordFile = pkgs.writeText "luna" outputs.secrets.lunaMailHash; hashedPasswordFile = pkgs.writeText "luna" outputs.secrets.lunaMailHash;
aliases = [ "us@${outputs.secrets.jimDomain}" "contact@${outputs.secrets.jimDomain}" ];
}; };
"freecorn1854@${outputs.secrets.jimDomain}" = { "freecorn1854@${outputs.secrets.jimDomain}" = {
hashedPasswordFile = pkgs.writeText "freecorn" outputs.secrets.freecornMailHash; hashedPasswordFile = pkgs.writeText "freecorn" outputs.secrets.freecornMailHash;
aliases = [ "canada@${outputs.secrets.jimDomain}" "contact@${outputs.secrets.jimDomain}" ];
}; };
"tinyattack09@${outputs.secrets.jimDomain}" = { "tinyattack09@${outputs.secrets.jimDomain}" = {
hashedPasswordFile = pkgs.writeText "tiny" outputs.secrets.tinyMailHash; hashedPasswordFile = pkgs.writeText "tiny" outputs.secrets.tinyMailHash;