diff options
Diffstat (limited to '')
| -rw-r--r-- | env/users/mailbox.nix | 33 | ||||
| -rw-r--r-- | sys/nspawn.nix | 76 |
2 files changed, 81 insertions, 28 deletions
diff --git a/env/users/mailbox.nix b/env/users/mailbox.nix index 06e67ef..16b218a 100644 --- a/env/users/mailbox.nix +++ b/env/users/mailbox.nix @@ -3,7 +3,21 @@ with lib; let cfg = config.local; in { - options.local.mailHost.enable = mkEnableOption "mailbox host service"; + options.local.mailHost = with types; { + enable = mkEnableOption "mailbox host service"; + + mdaListen = mkOption { + type = str; + }; + + saslPort = mkOption { + type = port; + }; + + lmtpPort = mkOption { + type = port; + }; + }; config = let @@ -48,6 +62,23 @@ in vmailPath = "/var/lib/vmail/%{if;%d;ne;;%Ld;${domain}}"; in '' + # TODO: los defaults de nixpkgs dejan los sockets bajo + # /run/dovecot2 con demasiados permisos rwx, arreglar + + service auth { + inet_listener mta-sasl { + port = ${toString cfg.mailHost.saslPort} + address = ${cfg.mailHost.mdaListen} + } + } + + service lmtp { + inet_listener mta-lmtp { + port = ${toString cfg.mailHost.lmtpPort} + address = ${cfg.mailHost.mdaListen} + } + } + # Esto enfuerza user@domain.tld auth_username_format = %{if;%Ld;eq;${domain};%Ln;%{if;%d;ne;;%Lu;%Ln@invalid}} diff --git a/sys/nspawn.nix b/sys/nspawn.nix index 2298c94..a586221 100644 --- a/sys/nspawn.nix +++ b/sys/nspawn.nix @@ -1,21 +1,25 @@ { lib, config, pkgs, ... }: with lib; let - cfg = config.local.nspawn; + cfg = config.local; in { - options.local.nspawn.dmz = { + options.local.nspawn.dmz = with types; { enable = mkEnableOption "DMZ services in a container"; net = mkOption { - type = with types; str; + type = str; + }; + + netBits = mkOption { + type = int; }; hostAddr = mkOption { - type = with types; str; + type = str; }; system = mkOption { - type = with types; attrs; + type = attrs; }; }; @@ -37,31 +41,47 @@ in # NixOS evidentemente no usa la segunda ruta por ser FHS, asà que la duct tape # final es 'mkdir rootfs/usr/lib && touch rootfs/usr/lib/os-release'. - config = mkIf cfg.dmz.enable { - local.nspawn.dmz = { - system = - let - containerModule = { ... }: { - config.boot.isContainer = true; - }; - in - pkgs.nixos [ ../dmz containerModule ]; - - net = "10.34.3.0/28"; - hostAddr = "10.34.3.1/28"; + config = mkIf cfg.nspawn.dmz.enable { + local = { + mailHost = { + mdaListen = cfg.nspawn.dmz.hostAddr; + saslPort = 11000; + lmtpPort = 11001; + }; + + nspawn.dmz = { + system = + let + containerModule = { ... }: { + #TODO: urgente: bloquear puertos de dovecot a non-postfix con iptables + config = { + boot.isContainer = true; + + local.mta = { + mdaAddr = cfg.mailHost.mdaListen; + inherit (cfg.mailHost) saslPort lmtpPort; + }; + }; + }; + in + pkgs.nixos [ ../dmz containerModule ]; + + net = "10.34.3.0"; + netBits = 28; + hostAddr = "10.34.3.1"; + }; }; systemd = { nspawn.dmz = { execConfig.PrivateUsers = "pick"; - filesConfig.BindReadOnly = - [ - # idmap porque algunos hacks en nixpkgs (postfix-setup.service) - # asumen que la store es de root - "/nix/store:/nix/store:idmap" - "${cfg.dmz.system.toplevel}/init:/sbin/init" - ]; + filesConfig.BindReadOnly = [ + # idmap porque algunos hacks en nixpkgs (postfix-setup.service) + # asumen que la store es de root + "/nix/store:/nix/store:idmap" + "${cfg.nspawn.dmz.system.toplevel}/init:/sbin/init" + ]; networkConfig.Port = [ "tcp:25" "tcp:80" "tcp:443" "tcp:587" ]; }; @@ -73,7 +93,7 @@ in }; networkConfig = { - Address = "${cfg.dmz.hostAddr}"; + Address = "${cfg.nspawn.dmz.hostAddr}/${toString cfg.nspawn.dmz.netBits}"; LinkLocalAddressing = "yes"; DHCPServer = "yes"; IPMasquerade = "both"; @@ -90,7 +110,9 @@ in }; }; - # DHCP - networking.firewall.interfaces.ve-dmz.allowedUDPPorts = [ 67 ]; + networking.firewall.interfaces.ve-dmz = { + allowedTCPPorts = [ cfg.mailHost.saslPort cfg.mailHost.lmtpPort ]; + allowedUDPPorts = [ 67 ]; # DHCP + }; }; } |