WIP: Use gre/ipsec instead of proxy

Signed-off-by: Egor Savkin <es@m-labs.hk>

nixbld-etc-nixos/configuration.nix

@@ -6,6 +6,8 @@ let
   netifLan = "enp5s0f1";
   netifWifi = "wlp6s0";
   netifSit = "henet0";
+  netifAlt = "alt0";
+  netifAltVlan = "vlan0";
   hydraWwwOutputs = "/var/www/hydra-outputs";
 in
 {
@@ -176,11 +178,20 @@ in
         iptables -w -A block-insecure-devices -m mac --mac-source d8:9c:67:ab:83:e7 -j DROP  # HP printer, wifi
         iptables -w -A block-insecure-devices -m mac --mac-source f4:39:09:f7:3c:d7 -j DROP  # HP printer, ethernet
         iptables -w -A FORWARD -j block-insecure-devices
+
+        iptables -w -N pccw-sucks
+        iptables -A pccw-sucks -o ${netifSit} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1440
+        iptables -A pccw-sucks -o ${netifAlt} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380
+        iptables -w -A FORWARD -j pccw-sucks
       '';
       extraStopCommands = ''
         iptables -w -D FORWARD -j block-insecure-devices 2>/dev/null|| true
         iptables -w -F block-insecure-devices 2>/dev/null|| true
         iptables -w -X block-insecure-devices 2>/dev/null|| true
+
+        iptables -w -D FORWARD -j pccw-sucks 2>/dev/null|| true
+        iptables -w -F pccw-sucks 2>/dev/null|| true
+        iptables -w -X pccw-sucks 2>/dev/null|| true
       '';
     };
     sits."${netifSit}" = {
@@ -193,14 +204,14 @@ in
       addresses = [{ address = "2001:470:18:390::2"; prefixLength = 64; }];
       routes = [{ address = "::"; prefixLength = 0; }];
     };
-    greTunnels.alt0 = {
+    greTunnels."${netifAlt}" = {
       dev = netifWan;
       remote = "103.206.98.1";
       local = "94.190.212.123";
       ttl = 255;
       type = "tun";
     };
-    interfaces.alt0 = {
+    interfaces."${netifAlt}" = {
       ipv4.addresses = [
         {
           address = "103.206.98.227";
@@ -218,7 +229,7 @@ in
     };
     greTunnels.intl0 = {
       dev = netifWan;
-      remote = "5.78.86.156";
+      remote = "5.78.16.0";
       local = "94.190.212.123";
       ttl = 255;
       type = "tun";
@@ -226,7 +237,7 @@ in
     interfaces.intl0 = {
       ipv4.addresses = [
         {
-          address = "5.78.86.156";
+          address = "5.78.16.0";
           prefixLength = 32;
         }
       ];
@@ -234,18 +245,18 @@ in
         {
           address = "0.0.0.0";
           prefixLength = 0;
-          via = "5.78.86.156";
+          via = "5.78.16.0";
           options.table = "3";
         }
       ];
     };
     vlans = {
-      vlan0 = {
+      "${netifAltVlan}" = {
         id = 2;
         interface = netifLan;
       };
     };
-    interfaces.vlan0 = {
+    interfaces."${netifAltVlan}" = {
       ipv4.addresses = [{
         address = "103.206.98.200";
         prefixLength = 29;
@@ -278,7 +289,7 @@ in
       id = "fqdn:igw0.hkg.as150788.net";
       pubkeys = [ "/etc/swanctl/pubkey/igw0.hkg.as150788.net" ];
     };
-    children.alt0 = {
+    children."${netifAlt}" = {
       mode = "transport";
       ah_proposals = [ "sha256-curve25519" ];
       remote_ts = [ "103.206.98.1[gre]" ];
@@ -286,9 +297,14 @@ in
       start_action = "start";
     };
   };
+  # prevent race condition similar to https://github.com/NixOS/nixpkgs/issues/27070
+  systemd.services.strongswan-swanctl = {
+    after = [ "network-addresses-${netifAlt}.service" ];
+    requires = [ "network-addresses-${netifAlt}.service" ];
+  };
   services.strongswan-swanctl.swanctl.connections.intl = {
     local_addrs = [ "94.190.212.123" ];
-    remote_addrs = [ "5.78.86.156" ];
+    remote_addrs = [ "5.78.16.0" ];
     local.main = {
       auth = "pubkey";
       id = "fqdn:m-labs.hk";
@@ -302,7 +318,7 @@ in
     children.intl0 = {
       mode = "transport";
       ah_proposals = [ "sha256-curve25519" ];
-      remote_ts = [ "5.78.86.156[gre]" ];
+      remote_ts = [ "5.78.16.0[gre]" ];
       local_ts = [ "94.190.212.123[gre]" ];
       start_action = "start";
     };
@@ -331,7 +347,7 @@ in
     serviceConfig = {
       Type = "oneshot";
       RemainAfterExit = true;
-      ExecStart = "${pkgs.iproute2}/bin/ip rule add from 5.78.86.156/32 table 3";
+      ExecStart = "${pkgs.iproute2}/bin/ip rule add from 5.78.16.0/32 table 3";
       ExecStop = "${pkgs.iproute2}/bin/ip rule del table 3";
     };
   };
@@ -887,7 +903,7 @@ in
   };
 
   services.postgresql = {
-    package = pkgs.postgresql_12;
+    package = pkgs.postgresql_15;
     settings.listen_addresses = pkgs.lib.mkForce "";
     identMap =
       ''
@@ -1105,15 +1121,6 @@ in
       "forum.m-labs.hk" = {
         forceSSL = true;
         enableACME = true;
-        root = "/var/www/flarum/public";
-        locations."~ \.php$".extraConfig = ''
-          fastcgi_pass unix:${config.services.phpfpm.pools.flarum.socket};
-          fastcgi_index index.php;
-        '';
-        extraConfig = ''
-          index index.php;
-          include /var/www/flarum/.nginx.conf;
-        '';
       };
       "perso.m-labs.hk" = {
         addSSL = true;
@@ -1185,23 +1192,17 @@ in
       };
     };
   };
+
   services.mysql = {
     enable = true;
-    package = pkgs.mariadb;
-  };
-  services.phpfpm.pools.flarum = {
-    user = "nobody";
-    settings = {
-      "listen.owner" = "nginx";
-      "listen.group" = "nginx";
-      "listen.mode" = "0600";
-      "pm" = "dynamic";
-      "pm.max_children" = 5;
-      "pm.start_servers" = 2;
-      "pm.min_spare_servers" = 1;
-      "pm.max_spare_servers" = 3;
-      "pm.max_requests" = 500;
+    package = pkgs.lib.mkForce pkgs.mariadb;
+    ensureDatabases = pkgs.lib.mkForce [];
+    ensureUsers = pkgs.lib.mkForce [];
   };
+  services.flarum = {
+    enable = true;
+    package = pkgs.callPackage ./flarum {};
+    domain = "forum.m-labs.hk";
   };
 
   services.rt = {
@@ -1257,7 +1258,7 @@ in
       masterConfig.smtptun = {
         type = "smtp";
         command = "smtp";
-        args = "-o smtp_bind_address=5.78.86.156";
+        args = "-o smtp_bind_address=5.78.16.0";
       };
     };
   };

nixbld-etc-nixos/flarum/default.nix

@@ -0,0 +1,39 @@
+{
+  lib,
+  php,
+  fetchFromGitHub,
+  fetchpatch,
+}:
+
+php.buildComposerProject (finalAttrs: {
+  pname = "flarum";
+  version = "1.8.1";
+
+  src = fetchFromGitHub {
+    owner = "flarum";
+    repo = "flarum";
+    rev = "v${finalAttrs.version}";
+    hash = "sha256-kigUZpiHTM24XSz33VQYdeulG1YI5s/M02V7xue72VM=";
+  };
+
+  patches = [
+    # Add useful extensions from https://github.com/FriendsOfFlarum
+    # Extensions included: fof/upload, fof/polls, fof/subscribed
+    ./fof-extensions.patch
+  ];
+
+  composerLock = ./composer.lock;
+  composerStrictValidation = false;
+  vendorHash = "sha256-z3KVGmILw8MZ4aaSf6IP/0l16LI/Y2yMzY2KMHf4qSg=";
+
+  meta = with lib; {
+    changelog = "https://github.com/flarum/framework/blob/main/CHANGELOG.md";
+    description = "Flarum is a delightfully simple discussion platform for your website";
+    homepage = "https://github.com/flarum/flarum";
+    license = lib.licenses.mit;
+    maintainers = with maintainers; [
+      fsagbuya
+      jasonodoom
+    ];
+  };
+})

nixbld-etc-nixos/flarum/fof-extensions.patch

@@ -0,0 +1,16 @@
+diff --git a/composer.json b/composer.json
+index c63b5f8..5ad1186 100644
+--- a/composer.json
++++ b/composer.json
+@@ -37,7 +37,10 @@
+         "flarum/sticky": "*",
+         "flarum/subscriptions": "*",
+         "flarum/suspend": "*",
+-        "flarum/tags": "*"
++        "flarum/tags": "*",
++        "fof/polls": "*",
++        "fof/subscribed": "*",
++        "fof/upload": "*"
+     },
+     "config": {
+         "preferred-install": "dist",

nixbld-etc-nixos/named/m-labs-intl.com

@@ -22,8 +22,7 @@ $TTL 7200
 ns						A		94.190.212.123
 ns						AAAA	2001:470:18:390::2
 
-mail					A		5.78.86.156
-mail					AAAA	2a01:4ff:1f0:83de::1
+mail					A		5.78.16.0
 mail._domainkey			IN	TXT	"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJVPuhSGXghO7ib8Em/Se3jfCCIJK5g4zn5pGZ3/e0I0f+zGHMuvwpjkAKf6eSmo/AAXEaco28pDi3qE5xfV512AJsORCfPoPFyNhLsj/qtri6hc5KVSWW0Ja3MSFBINDCaX78c7PXPY+3jJJGpwSBDLjdxj9AQwtfiCVlH4qE/QIDAQAB"
 _dmarc					TXT		"v=DMARC1; p=none"