dmz/mail: implement MTA->MDA nspawn bridge

author: Alejandro Soto <alejandro@34project.org> 2023-01-11 19:36:21 -0600
committer: Alejandro Soto <alejandro@34project.org> 2023-01-11 19:36:21 -0600
commit: fa34a1c0495cafffa38837e32efb3b7e4693d590 (patch)
tree: f5d4d756af893d9546a294e8b4ea401203e84322
parent: 751daf36fc86e3cf8a365c767a7c388818c10088 (diff)
2 files changed, 81 insertions, 28 deletions
diff --git a/env/users/mailbox.nix b/env/users/mailbox.nix
index 06e67ef..16b218a 100644
--- a/env/users/mailbox.nix
+++ b/env/users/mailbox.nix
@@ -3,7 +3,21 @@ with lib; let
   cfg = config.local;
 in
 {
-  options.local.mailHost.enable = mkEnableOption "mailbox host service";
+  options.local.mailHost = with types; {
+    enable = mkEnableOption "mailbox host service";
+
+    mdaListen = mkOption {
+      type = str;
+    };
+
+    saslPort = mkOption {
+      type = port;
+    };
+
+    lmtpPort = mkOption {
+      type = port;
+    };
+  };
 
   config =
     let
@@ -48,6 +62,23 @@ in
               vmailPath = "/var/lib/vmail/%{if;%d;ne;;%Ld;${domain}}";
             in
             ''
+              # TODO: los defaults de nixpkgs dejan los sockets bajo
+              # /run/dovecot2 con demasiados permisos rwx, arreglar
+
+              service auth {
+                inet_listener mta-sasl {
+                  port = ${toString cfg.mailHost.saslPort}
+                  address = ${cfg.mailHost.mdaListen}
+                }
+              }
+
+              service lmtp {
+                inet_listener mta-lmtp {
+                  port = ${toString cfg.mailHost.lmtpPort}
+                  address = ${cfg.mailHost.mdaListen}
+                }
+              }
+
               # Esto enfuerza user@domain.tld
               auth_username_format = %{if;%Ld;eq;${domain};%Ln;%{if;%d;ne;;%Lu;%Ln@invalid}}
 
diff --git a/sys/nspawn.nix b/sys/nspawn.nix
index 2298c94..a586221 100644
--- a/sys/nspawn.nix
+++ b/sys/nspawn.nix
@@ -1,21 +1,25 @@
 { lib, config, pkgs, ... }:
 with lib; let
-  cfg = config.local.nspawn;
+  cfg = config.local;
 in
 {
-  options.local.nspawn.dmz = {
+  options.local.nspawn.dmz = with types; {
     enable = mkEnableOption "DMZ services in a container";
 
     net = mkOption {
-      type = with types; str;
+      type = str;
+    };
+
+    netBits = mkOption {
+      type = int;
     };
 
     hostAddr = mkOption {
-      type = with types; str;
+      type = str;
     };
 
     system = mkOption {
-      type = with types; attrs;
+      type = attrs;
     };
   };
 
@@ -37,31 +41,47 @@ in
   # NixOS evidentemente no usa la segunda ruta por ser FHS, así que la duct tape
   # final es 'mkdir rootfs/usr/lib && touch rootfs/usr/lib/os-release'.
 
-  config = mkIf cfg.dmz.enable {
-    local.nspawn.dmz = {
-      system =
-        let
-          containerModule = { ... }: {
-            config.boot.isContainer = true;
-          };
-        in
-        pkgs.nixos [ ../dmz containerModule ];
-
-      net = "10.34.3.0/28";
-      hostAddr = "10.34.3.1/28";
+  config = mkIf cfg.nspawn.dmz.enable {
+    local = {
+      mailHost = {
+        mdaListen = cfg.nspawn.dmz.hostAddr;
+        saslPort = 11000;
+        lmtpPort = 11001;
+      };
+
+      nspawn.dmz = {
+        system =
+          let
+            containerModule = { ... }: {
+              #TODO: urgente: bloquear puertos de dovecot a non-postfix con iptables
+              config = {
+                boot.isContainer = true;
+
+                local.mta = {
+                  mdaAddr = cfg.mailHost.mdaListen;
+                  inherit (cfg.mailHost) saslPort lmtpPort;
+                };
+              };
+            };
+          in
+          pkgs.nixos [ ../dmz containerModule ];
+
+        net = "10.34.3.0";
+        netBits = 28;
+        hostAddr = "10.34.3.1";
+      };
     };
 
     systemd = {
       nspawn.dmz = {
         execConfig.PrivateUsers = "pick";
 
-        filesConfig.BindReadOnly =
-          [
-            # idmap porque algunos hacks en nixpkgs (postfix-setup.service)
-            # asumen que la store es de root
-            "/nix/store:/nix/store:idmap"
-            "${cfg.dmz.system.toplevel}/init:/sbin/init"
-          ];
+        filesConfig.BindReadOnly = [
+          # idmap porque algunos hacks en nixpkgs (postfix-setup.service)
+          # asumen que la store es de root
+          "/nix/store:/nix/store:idmap"
+          "${cfg.nspawn.dmz.system.toplevel}/init:/sbin/init"
+        ];
 
         networkConfig.Port = [ "tcp:25" "tcp:80" "tcp:443" "tcp:587" ];
       };
@@ -73,7 +93,7 @@ in
         };
 
         networkConfig = {
-          Address = "${cfg.dmz.hostAddr}";
+          Address = "${cfg.nspawn.dmz.hostAddr}/${toString cfg.nspawn.dmz.netBits}";
           LinkLocalAddressing = "yes";
           DHCPServer = "yes";
           IPMasquerade = "both";
@@ -90,7 +110,9 @@ in
       };
     };
 
-    # DHCP
-    networking.firewall.interfaces.ve-dmz.allowedUDPPorts = [ 67 ];
+    networking.firewall.interfaces.ve-dmz = {
+      allowedTCPPorts = [ cfg.mailHost.saslPort cfg.mailHost.lmtpPort ];
+      allowedUDPPorts = [ 67 ]; # DHCP
+    };
   };
 }
author	Alejandro Soto <alejandro@34project.org>	2023-01-11 19:36:21 -0600
committer	Alejandro Soto <alejandro@34project.org>	2023-01-11 19:36:21 -0600
commit	fa34a1c0495cafffa38837e32efb3b7e4693d590 (patch)
tree	f5d4d756af893d9546a294e8b4ea401203e84322
parent	751daf36fc86e3cf8a365c767a7c388818c10088 (diff)