M-Labs/it-infra
M-Labs
/
it-infra
8
0
Fork 6
Code Issues 11 Pull Requests 1 Releases Wiki Activity
555 Commits 1 Branch 0 Tags 2.5 MiB
Commit Graph

555 Commits

Author SHA1 Message Date
Egor Savkin 785777eb0e Optimize new fw rules and tweak postfix 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-17 12:01:25 +08:00
Egor Savkin 7131a54bb6 Rebase and add intl interface to exceptions 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-17 11:55:28 +08:00
Egor Savkin bbfee50b53 Fix postfix settings so it should load successfully and accept and send messages through tunnel 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-17 11:55:28 +08:00
Egor Savkin 4c300688d9 Fix postfix settings so it should load successfully 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-17 11:55:28 +08:00
Egor Savkin 45b53991d1 Add virtual ips for the gre tunnel 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-17 11:55:28 +08:00
Egor Savkin 5a408bdb63 Return swan into the zoo 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-17 11:55:28 +08:00
Egor Savkin 2f1c794ac0 Use IPv6 for WG transport to decrease latency by 20% 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-17 11:55:28 +08:00
Egor Savkin 8068eb96b3 Ip rules instead of iptables tracking 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-17 11:55:28 +08:00
Egor Savkin 7b98b49fcd Apply tested client configuration 
Adds an additional route, but doesn't enforce it so other apps will remain the same, but smtp can use tunnel for sending. Also sends replies through the tunnel if connection arrives on the tunnel.
Better have something tested and working before I start doing "perfect".

Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-17 11:55:28 +08:00
Egor Savkin 367d5a8c4c Use wireguard instead of strongswan since its in the kernel 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-17 11:55:27 +08:00
Egor Savkin 5fb951ba3c WIP: Use gre/ipsec instead of proxy 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-17 11:54:57 +08:00
Egor Savkin 6832725535 Use proxychains-ng instead of tsocks 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-17 11:53:44 +08:00
Egor Savkin 4c9dff8d95 Use tsocks to wrap socks and add sock transport type 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-17 11:53:44 +08:00
Egor Savkin f909cd71a3 Use wildcard instead of explicit specification 
As in example at https://www.postfix.org/transport.5.html

Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-17 11:53:44 +08:00
Egor Savkin 3959250f0b Use postfix options for routing mails through ssh tunnel 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-17 11:53:44 +08:00
Sébastien Bourdeauducq 476f5d1d6c nixbld: update to nextcloud 30 2024-10-16 11:33:07 +08:00
Sebastien Bourdeauducq ecf40fb2db nixbld: fix firewall issue with incoming USA tunnel connections 2024-10-15 21:27:43 +08:00
Sébastien Bourdeauducq 34102e66ad nixbld: install nextcloud forms app 2024-10-15 16:22:33 +08:00
Sébastien Bourdeauducq 93ae830468 nixbld: disable IPv6 MX for m-labs-intl.com 2024-10-14 14:23:15 +08:00
Sébastien Bourdeauducq 8af66556b9 nixbld: remove google fonts workaround 2024-10-11 17:27:10 +08:00
Sébastien Bourdeauducq 94cff9bb09 nixbld: revert 233998b8 (did not fix the problem) 2024-10-08 16:11:12 +08:00
Sébastien Bourdeauducq 2bf7bb0638 nixbld: connect to USA VPN 2024-10-08 16:09:56 +08:00
Sébastien Bourdeauducq 3419fe6013 nixbld: remove nkrackow user 2024-10-05 10:15:13 +08:00
Sébastien Bourdeauducq ec53c0cbdd nixbld: add eduardotenholder user 2024-10-02 18:41:45 +08:00
Sébastien Bourdeauducq 0258f5cff4 nixbld: reorganize users (NFC) 2024-10-02 18:40:48 +08:00
Sébastien Bourdeauducq b723b7f8c0 nixbld: clean up/update systemPackages 2024-09-30 15:12:01 +08:00
Sébastien Bourdeauducq 0c336f3dd7 nixbld: do not log refused connections 
Happen all the time and spam the kernel log.
 2024-09-30 14:40:09 +08:00
Sebastien Bourdeauducq 11181f0397 nixbld: flarum createDatabaseLocally no longer needed 
https://github.com/NixOS/nixpkgs/pull/341340
 2024-09-23 10:52:08 +08:00
Sebastien Bourdeauducq aaf70f36df nixops: remove user accounts 2024-09-13 13:23:15 +08:00
Sébastien Bourdeauducq 4a288abe2b nixbld: keep automatic flarum DB migrations 2024-09-10 17:12:44 +08:00
Sébastien Bourdeauducq 246a375dfb add remote IPsec settings 2024-09-05 14:36:37 +08:00
Sébastien Bourdeauducq 635f90f0c7 nixbld/flarum: use nix 2024-08-31 17:27:16 +08:00
Sébastien Bourdeauducq 8a187ba5b9 nixbld: SIT can take larger packets 2024-08-29 18:55:52 +08:00
Sébastien Bourdeauducq 9383227c5b nixbld: consistent netif variables 2024-08-29 18:53:33 +08:00
Sébastien Bourdeauducq 233998b8f3 nixbld: work around tunnel bring-up race condition 2024-08-29 18:40:17 +08:00
Sébastien Bourdeauducq 90a6b84c09 nixbld: work around tunnel TCPMSS issues 2024-08-29 18:39:52 +08:00
Sébastien Bourdeauducq 23e1fa029a nixbld: upgrade postgresql 2024-08-25 11:06:19 +08:00
Egor Savkin 75035b387e Skip SPF for mails originating from intl 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-08-20 10:59:27 +08:00
Sébastien Bourdeauducq 4f48ea611a nixops: remove wanglm user 2024-08-19 11:18:06 +08:00
Sébastien Bourdeauducq 6dc8214102 nixbld/backup: include gitea DB dump 2024-08-17 18:26:46 +08:00
Sébastien Bourdeauducq a6b216bb87 nixbld/gitea: move to postgresql 2024-08-17 18:18:56 +08:00
Sébastien Bourdeauducq 6e21a95ba8 nixbld/named: add qnetp slave DNS for m-labs-intl.com 2024-08-15 19:52:42 +08:00
Sébastien Bourdeauducq d08186a27a nixbld/named: enable CAA for m-labs-intl.com 2024-08-14 11:52:25 +08:00
Sébastien Bourdeauducq 5d132565e6 nixbld/named: add hooks.m-labs-intl.com 2024-08-14 11:42:38 +08:00
Sébastien Bourdeauducq 97ca7ea3ce nixbld: mail setup for m-labs-intl.com WIP 2024-08-14 11:38:19 +08:00
Sébastien Bourdeauducq e24c167f8b Revert "nixbld: block SAP spam" 
Option seems to have no effect.

This reverts commit b769b47075.
 2024-08-14 10:58:49 +08:00
Egor Savkin 18194be5c3 nixbld: deploy web2019 to the intl domain 
Co-authored-by: Egor Savkin <es@m-labs.hk>
Co-committed-by: Egor Savkin <es@m-labs.hk>
 2024-08-14 10:54:52 +08:00
Sébastien Bourdeauducq 7781d6236e nixbld/rt: disable TCP 2024-08-11 12:19:15 +08:00
Sébastien Bourdeauducq 93e19c74e9 nixbld/rt: use psql peer authentication 2024-08-11 12:12:28 +08:00
Sébastien Bourdeauducq 4ccab3cf2b nixbld: remove outdated DNS records 2024-08-05 19:13:34 +08:00