M-Labs/it-infra
M-Labs
/
it-infra
8
0
Fork 6
Code Issues 10 Pull Requests Releases Wiki Activity

Compare commits

base: M-Labs:8ff15e4abae390488a903a95219222ab27d95230
Branches Tags
M-Labs:master
..
compare: M-Labs:2ee23bc03ac0de6560a97952d01c47ae1bb0ef5e
Branches Tags
M-Labs:master

16 Commits
8ff15e4aba ... 2ee23bc03a

Author SHA1 Message Date
Egor Savkin 2ee23bc03a Optimize new fw rules and tweak postfix 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-15 17:41:28 +08:00
Egor Savkin 60903e955f Stop rejecting packages from the tunnel 
Appears that firewall rejects packages before they are getting unwrapped to GRE

Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-10 15:52:20 +08:00
Egor Savkin 4d7e836f07 Rebase and add intl interface to exceptions 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-09 11:15:31 +08:00
Egor Savkin e7570aa4ce Fix postfix settings so it should load successfully and accept and send messages through tunnel 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-09 11:08:12 +08:00
Egor Savkin eab2d70941 Fix postfix settings so it should load successfully 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-09 11:08:12 +08:00
Egor Savkin cbb077c441 Add virtual ips for the gre tunnel 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-09 11:08:12 +08:00
Egor Savkin 42b3d6ccf3 Return swan into the zoo 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-09 11:08:12 +08:00
Egor Savkin b1fb18a6c5 Use IPv6 for WG transport to decrease latency by 20% 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-09 11:08:12 +08:00
Egor Savkin 29352302be Ip rules instead of iptables tracking 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-09 11:08:12 +08:00
Egor Savkin 47e3d4cb88 Apply tested client configuration 
Adds an additional route, but doesn't enforce it so other apps will remain the same, but smtp can use tunnel for sending. Also sends replies through the tunnel if connection arrives on the tunnel.
Better have something tested and working before I start doing "perfect".

Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-09 11:08:12 +08:00
Egor Savkin 5066b8cb9e Use wireguard instead of strongswan since its in the kernel 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-09 11:08:12 +08:00
Egor Savkin 74ecfdb430 WIP: Use gre/ipsec instead of proxy 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-09 11:08:12 +08:00
Egor Savkin 8e5a45ac91 Use proxychains-ng instead of tsocks 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-09 11:08:12 +08:00
Egor Savkin ef4fd68829 Use tsocks to wrap socks and add sock transport type 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-09 11:08:12 +08:00
Egor Savkin cd2eac023e Use wildcard instead of explicit specification 
As in example at https://www.postfix.org/transport.5.html

Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-09 11:08:12 +08:00
Egor Savkin 05e3a47208 Use postfix options for routing mails through ssh tunnel 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-09 11:08:12 +08:00
2 changed files with 9 additions and 8 deletions
Show Stats Expand all files Collapse all files

15
nixbld-etc-nixos/configuration.nix
View File

@ -92,16 +92,12 @@ in
firewall = { firewall = {
allowedTCPPorts = [ 53 80 443 2222 7402 ]; allowedTCPPorts = [ 53 80 443 2222 7402 ];
allowedUDPPorts = [ 53 67 500 4500 ]; allowedUDPPorts = [ 53 67 500 4500 ];
trustedInterfaces = [ netifLan netifUSA ]; trustedInterfaces = [ netifLan ];
logRefusedConnections = false; logRefusedConnections = false;
extraCommands = '' extraCommands = ''
iptables -A INPUT -s 5.78.86.156 -p gre -j ACCEPT iptables -A INPUT -s 5.78.86.156 -p gre -j ACCEPT
iptables -A INPUT -s 5.78.86.156 -p ah -j ACCEPT iptables -A INPUT -s 5.78.86.156 -p ah -j ACCEPT
''; '';
extraStopCommands = ''
iptables -D INPUT -s 5.78.86.156 -p gre -j ACCEPT
iptables -D INPUT -s 5.78.86.156 -p ah -j ACCEPT
'';
}; };
useDHCP = false; useDHCP = false;
interfaces."${netifWan}".useDHCP = true; # PCCW - always wants active DHCP lease or cuts you off interfaces."${netifWan}".useDHCP = true; # PCCW - always wants active DHCP lease or cuts you off
@ -539,6 +535,11 @@ in
"/kasli/192.168.1.70" "/kasli/192.168.1.70"
"/kasli-customer/192.168.1.75" "/kasli-customer/192.168.1.75"
"/stabilizer-customer/192.168.1.76" "/stabilizer-customer/192.168.1.76"
# Google can't do DNS geolocation correctly and slows down websites of everyone using
# their shitty font cloud hosting. In HK, you sometimes get IPs behind the GFW that you
# cannot reach.
"/fonts.googleapis.com/142.250.207.74"
]; ];
dhcp-match = "set:ipxe,175"; # https://forum.ipxe.org/showthread.php?tid=6077 dhcp-match = "set:ipxe,175"; # https://forum.ipxe.org/showthread.php?tid=6077
@ -1264,6 +1265,7 @@ in
services.postfix = { services.postfix = {
mapFiles.sender_transport = pkgs.writeText "sender_transport" '' mapFiles.sender_transport = pkgs.writeText "sender_transport" ''
@m-labs-intl.com intltunnel: @m-labs-intl.com intltunnel:
* :
''; '';
config = { config = {
sender_dependent_default_transport_maps = "hash:/var/lib/postfix/conf/sender_transport"; sender_dependent_default_transport_maps = "hash:/var/lib/postfix/conf/sender_transport";
@ -1291,8 +1293,7 @@ in
services.nextcloud = { services.nextcloud = {
enable = true; enable = true;
package = pkgs.nextcloud30; package = pkgs.nextcloud29;
extraApps = { inherit (config.services.nextcloud.package.packages.apps) forms; };
hostName = "files.m-labs.hk"; hostName = "files.m-labs.hk";
https = true; https = true;
maxUploadSize = "2G"; maxUploadSize = "2G";

2
nixbld-etc-nixos/named/m-labs-intl.com
View File

@ -1,7 +1,7 @@
$TTL 7200 $TTL 7200
@ SOA ns.m-labs-intl.com. sb.m-labs.hk. ( @ SOA ns.m-labs-intl.com. sb.m-labs.hk. (
2024101401 2024081503
7200 7200
3600 3600
86400 86400