From fa34a1c0495cafffa38837e32efb3b7e4693d590 Mon Sep 17 00:00:00 2001
From: Alejandro Soto <alejandro@34project.org>
Date: Wed, 11 Jan 2023 19:36:21 -0600
Subject: dmz/mail: implement MTA->MDA nspawn bridge

---
 sys/nspawn.nix | 76 +++++++++++++++++++++++++++++++++++++---------------------
 1 file changed, 49 insertions(+), 27 deletions(-)

(limited to 'sys/nspawn.nix')

diff --git a/sys/nspawn.nix b/sys/nspawn.nix
index 2298c94..a586221 100644
--- a/sys/nspawn.nix
+++ b/sys/nspawn.nix
@@ -1,21 +1,25 @@
 { lib, config, pkgs, ... }:
 with lib; let
-  cfg = config.local.nspawn;
+  cfg = config.local;
 in
 {
-  options.local.nspawn.dmz = {
+  options.local.nspawn.dmz = with types; {
     enable = mkEnableOption "DMZ services in a container";
 
     net = mkOption {
-      type = with types; str;
+      type = str;
+    };
+
+    netBits = mkOption {
+      type = int;
     };
 
     hostAddr = mkOption {
-      type = with types; str;
+      type = str;
     };
 
     system = mkOption {
-      type = with types; attrs;
+      type = attrs;
     };
   };
 
@@ -37,31 +41,47 @@ in
   # NixOS evidentemente no usa la segunda ruta por ser FHS, así que la duct tape
   # final es 'mkdir rootfs/usr/lib && touch rootfs/usr/lib/os-release'.
 
-  config = mkIf cfg.dmz.enable {
-    local.nspawn.dmz = {
-      system =
-        let
-          containerModule = { ... }: {
-            config.boot.isContainer = true;
-          };
-        in
-        pkgs.nixos [ ../dmz containerModule ];
-
-      net = "10.34.3.0/28";
-      hostAddr = "10.34.3.1/28";
+  config = mkIf cfg.nspawn.dmz.enable {
+    local = {
+      mailHost = {
+        mdaListen = cfg.nspawn.dmz.hostAddr;
+        saslPort = 11000;
+        lmtpPort = 11001;
+      };
+
+      nspawn.dmz = {
+        system =
+          let
+            containerModule = { ... }: {
+              #TODO: urgente: bloquear puertos de dovecot a non-postfix con iptables
+              config = {
+                boot.isContainer = true;
+
+                local.mta = {
+                  mdaAddr = cfg.mailHost.mdaListen;
+                  inherit (cfg.mailHost) saslPort lmtpPort;
+                };
+              };
+            };
+          in
+          pkgs.nixos [ ../dmz containerModule ];
+
+        net = "10.34.3.0";
+        netBits = 28;
+        hostAddr = "10.34.3.1";
+      };
     };
 
     systemd = {
       nspawn.dmz = {
         execConfig.PrivateUsers = "pick";
 
-        filesConfig.BindReadOnly =
-          [
-            # idmap porque algunos hacks en nixpkgs (postfix-setup.service)
-            # asumen que la store es de root
-            "/nix/store:/nix/store:idmap"
-            "${cfg.dmz.system.toplevel}/init:/sbin/init"
-          ];
+        filesConfig.BindReadOnly = [
+          # idmap porque algunos hacks en nixpkgs (postfix-setup.service)
+          # asumen que la store es de root
+          "/nix/store:/nix/store:idmap"
+          "${cfg.nspawn.dmz.system.toplevel}/init:/sbin/init"
+        ];
 
         networkConfig.Port = [ "tcp:25" "tcp:80" "tcp:443" "tcp:587" ];
       };
@@ -73,7 +93,7 @@ in
         };
 
         networkConfig = {
-          Address = "${cfg.dmz.hostAddr}";
+          Address = "${cfg.nspawn.dmz.hostAddr}/${toString cfg.nspawn.dmz.netBits}";
           LinkLocalAddressing = "yes";
           DHCPServer = "yes";
           IPMasquerade = "both";
@@ -90,7 +110,9 @@ in
       };
     };
 
-    # DHCP
-    networking.firewall.interfaces.ve-dmz.allowedUDPPorts = [ 67 ];
+    networking.firewall.interfaces.ve-dmz = {
+      allowedTCPPorts = [ cfg.mailHost.saslPort cfg.mailHost.lmtpPort ];
+      allowedUDPPorts = [ 67 ]; # DHCP
+    };
   };
 }
-- 
cgit v1.2.3