M-Labs/it-infra
M-Labs
/
it-infra
8
0
Fork 6
Code Issues 10 Pull Requests Releases Wiki Activity

Compare commits

base: M-Labs:2ee23bc03ac0de6560a97952d01c47ae1bb0ef5e
Branches Tags
M-Labs:master
...
compare: M-Labs:8ff15e4abae390488a903a95219222ab27d95230
Branches Tags
M-Labs:master

20 Commits
2ee23bc03a ... 8ff15e4aba

Author SHA1 Message Date
Egor Savkin 8ff15e4aba Optimize new fw rules and tweak postfix 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-17 11:57:26 +08:00
Egor Savkin 7131a54bb6 Rebase and add intl interface to exceptions 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-17 11:55:28 +08:00
Egor Savkin bbfee50b53 Fix postfix settings so it should load successfully and accept and send messages through tunnel 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-17 11:55:28 +08:00
Egor Savkin 4c300688d9 Fix postfix settings so it should load successfully 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-17 11:55:28 +08:00
Egor Savkin 45b53991d1 Add virtual ips for the gre tunnel 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-17 11:55:28 +08:00
Egor Savkin 5a408bdb63 Return swan into the zoo 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-17 11:55:28 +08:00
Egor Savkin 2f1c794ac0 Use IPv6 for WG transport to decrease latency by 20% 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-17 11:55:28 +08:00
Egor Savkin 8068eb96b3 Ip rules instead of iptables tracking 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-17 11:55:28 +08:00
Egor Savkin 7b98b49fcd Apply tested client configuration 
Adds an additional route, but doesn't enforce it so other apps will remain the same, but smtp can use tunnel for sending. Also sends replies through the tunnel if connection arrives on the tunnel.
Better have something tested and working before I start doing "perfect".

Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-17 11:55:28 +08:00
Egor Savkin 367d5a8c4c Use wireguard instead of strongswan since its in the kernel 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-17 11:55:27 +08:00
Egor Savkin 5fb951ba3c WIP: Use gre/ipsec instead of proxy 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-17 11:54:57 +08:00
Egor Savkin 6832725535 Use proxychains-ng instead of tsocks 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-17 11:53:44 +08:00
Egor Savkin 4c9dff8d95 Use tsocks to wrap socks and add sock transport type 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-17 11:53:44 +08:00
Egor Savkin f909cd71a3 Use wildcard instead of explicit specification 
As in example at https://www.postfix.org/transport.5.html

Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-17 11:53:44 +08:00
Egor Savkin 3959250f0b Use postfix options for routing mails through ssh tunnel 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-17 11:53:44 +08:00
Sébastien Bourdeauducq 476f5d1d6c nixbld: update to nextcloud 30 2024-10-16 11:33:07 +08:00
Sebastien Bourdeauducq ecf40fb2db nixbld: fix firewall issue with incoming USA tunnel connections 2024-10-15 21:27:43 +08:00
Sébastien Bourdeauducq 34102e66ad nixbld: install nextcloud forms app 2024-10-15 16:22:33 +08:00
Sébastien Bourdeauducq 93ae830468 nixbld: disable IPv6 MX for m-labs-intl.com 2024-10-14 14:23:15 +08:00
Sébastien Bourdeauducq 8af66556b9 nixbld: remove google fonts workaround 2024-10-11 17:27:10 +08:00
2 changed files with 30 additions and 10 deletions
Show Stats Expand all files Collapse all files

37
nixbld-etc-nixos/configuration.nix
View File

@ -92,8 +92,16 @@ in
firewall = { firewall = {
allowedTCPPorts = [ 53 80 443 2222 7402 ]; allowedTCPPorts = [ 53 80 443 2222 7402 ];
allowedUDPPorts = [ 53 67 500 4500 ]; allowedUDPPorts = [ 53 67 500 4500 ];
trustedInterfaces = [ netifLan ]; trustedInterfaces = [ netifLan netifUSA ];
logRefusedConnections = false; logRefusedConnections = false;
extraCommands = ''
iptables -A INPUT -s 5.78.86.156 -p gre -j ACCEPT
iptables -A INPUT -s 5.78.86.156 -p ah -j ACCEPT
'';
extraStopCommands = ''
iptables -D INPUT -s 5.78.86.156 -p gre -j ACCEPT
iptables -D INPUT -s 5.78.86.156 -p ah -j ACCEPT
'';
}; };
useDHCP = false; useDHCP = false;
interfaces."${netifWan}".useDHCP = true; # PCCW - always wants active DHCP lease or cuts you off interfaces."${netifWan}".useDHCP = true; # PCCW - always wants active DHCP lease or cuts you off
@ -531,11 +539,6 @@ in
"/kasli/192.168.1.70" "/kasli/192.168.1.70"
"/kasli-customer/192.168.1.75" "/kasli-customer/192.168.1.75"
"/stabilizer-customer/192.168.1.76" "/stabilizer-customer/192.168.1.76"
# Google can't do DNS geolocation correctly and slows down websites of everyone using
# their shitty font cloud hosting. In HK, you sometimes get IPs behind the GFW that you
# cannot reach.
"/fonts.googleapis.com/142.250.207.74"
]; ];
dhcp-match = "set:ipxe,175"; # https://forum.ipxe.org/showthread.php?tid=6077 dhcp-match = "set:ipxe,175"; # https://forum.ipxe.org/showthread.php?tid=6077
@ -1257,8 +1260,25 @@ in
enablePop3 = true; enablePop3 = true;
enablePop3Ssl = true; enablePop3Ssl = true;
certificateScheme = "acme-nginx"; certificateScheme = "acme-nginx";
policydSPFExtraConfig = "skip_addresses = 5.78.86.156,2a01:4ff:1f0:83de::1";
} // (import /etc/nixos/secret/email_settings.nix); } // (import /etc/nixos/secret/email_settings.nix);
services.postfix = {
mapFiles.sender_transport = pkgs.writeText "sender_transport" ''
@m-labs-intl.com intltunnel:
'';
config = {
sender_dependent_default_transport_maps = "hash:/var/lib/postfix/conf/sender_transport";
};
masterConfig."intltunnel" = {
type = "unix";
command = "smtp";
args = [
"-o" "inet_interfaces=10.47.3.1"
"-o" "smtp_helo_name=mail.m-labs-intl.com"
"-o" "inet_protocols=ipv4"
];
};
};
services.roundcube = { services.roundcube = {
enable = true; enable = true;
hostName = "mail.m-labs.hk"; hostName = "mail.m-labs.hk";
@ -1271,7 +1291,8 @@ in
services.nextcloud = { services.nextcloud = {
enable = true; enable = true;
package = pkgs.nextcloud29; package = pkgs.nextcloud30;
extraApps = { inherit (config.services.nextcloud.package.packages.apps) forms; };
hostName = "files.m-labs.hk"; hostName = "files.m-labs.hk";
https = true; https = true;
maxUploadSize = "2G"; maxUploadSize = "2G";

3
nixbld-etc-nixos/named/m-labs-intl.com
View File

@ -1,7 +1,7 @@
$TTL 7200 $TTL 7200
@ SOA ns.m-labs-intl.com. sb.m-labs.hk. ( @ SOA ns.m-labs-intl.com. sb.m-labs.hk. (
2024081503 2024101401
7200 7200
3600 3600
86400 86400
@ -23,7 +23,6 @@ ns A 94.190.212.123
ns AAAA 2001:470:18:390::2 ns AAAA 2001:470:18:390::2
mail A 5.78.86.156 mail A 5.78.86.156
mail AAAA 2a01:4ff:1f0:83de::1
mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJVPuhSGXghO7ib8Em/Se3jfCCIJK5g4zn5pGZ3/e0I0f+zGHMuvwpjkAKf6eSmo/AAXEaco28pDi3qE5xfV512AJsORCfPoPFyNhLsj/qtri6hc5KVSWW0Ja3MSFBINDCaX78c7PXPY+3jJJGpwSBDLjdxj9AQwtfiCVlH4qE/QIDAQAB" mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJVPuhSGXghO7ib8Em/Se3jfCCIJK5g4zn5pGZ3/e0I0f+zGHMuvwpjkAKf6eSmo/AAXEaco28pDi3qE5xfV512AJsORCfPoPFyNhLsj/qtri6hc5KVSWW0Ja3MSFBINDCaX78c7PXPY+3jJJGpwSBDLjdxj9AQwtfiCVlH4qE/QIDAQAB"
_dmarc TXT "v=DMARC1; p=none" _dmarc TXT "v=DMARC1; p=none"