M-Labs/it-infra
M-Labs
/
it-infra
8
0
Fork 6
Code Issues 10 Pull Requests Releases Wiki Activity

Compare commits

base: M-Labs:b3c97d0fb55c790355074a560f8946053cacfec6
Branches Tags
M-Labs:master
...
compare: M-Labs:451328c28b097047a09f59048a01ef04a05313dd
Branches Tags
M-Labs:master

16 Commits
b3c97d0fb5 ... 451328c28b

Author SHA1 Message Date
Egor Savkin 451328c28b Add virtual ips for the gre tunnel 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-04 15:25:52 +08:00
Egor Savkin 91260e8ec5 Return swan into the zoo 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-04 15:25:52 +08:00
Egor Savkin 291d5c1ee3 Use IPv6 for WG transport to decrease latency by 20% 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-04 15:25:52 +08:00
Egor Savkin 67c1f49478 Ip rules instead of iptables tracking 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-04 15:25:52 +08:00
Egor Savkin 2949d444bc Apply tested client configuration 
Adds an additional route, but doesn't enforce it so other apps will remain the same, but smtp can use tunnel for sending. Also sends replies through the tunnel if connection arrives on the tunnel.
Better have something tested and working before I start doing "perfect".

Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-04 15:25:52 +08:00
Egor Savkin 7a378cacad Use wireguard instead of strongswan since its in the kernel 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-04 15:25:52 +08:00
Egor Savkin ec259b1789 WIP: Use gre/ipsec instead of proxy 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-04 15:25:52 +08:00
Egor Savkin 10bbd4f55d Use proxychains-ng instead of tsocks 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-04 15:25:52 +08:00
Egor Savkin 355c69f1b0 Use tsocks to wrap socks and add sock transport type 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-04 15:25:52 +08:00
Egor Savkin 2ea87d3d1b Use wildcard instead of explicit specification 
As in example at https://www.postfix.org/transport.5.html

Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-04 15:25:52 +08:00
Egor Savkin d1dbdca0cb Use postfix options for routing mails through ssh tunnel 
Signed-off-by: Egor Savkin <es@m-labs.hk>
 2024-10-04 15:25:52 +08:00
Sébastien Bourdeauducq ec53c0cbdd nixbld: add eduardotenholder user 2024-10-02 18:41:45 +08:00
Sébastien Bourdeauducq 0258f5cff4 nixbld: reorganize users (NFC) 2024-10-02 18:40:48 +08:00
Sébastien Bourdeauducq b723b7f8c0 nixbld: clean up/update systemPackages 2024-09-30 15:12:01 +08:00
Sébastien Bourdeauducq 0c336f3dd7 nixbld: do not log refused connections 
Happen all the time and spam the kernel log.
 2024-09-30 14:40:09 +08:00
Sebastien Bourdeauducq 11181f0397 nixbld: flarum createDatabaseLocally no longer needed 
https://github.com/NixOS/nixpkgs/pull/341340
 2024-09-23 10:52:08 +08:00
2 changed files with 123 additions and 22 deletions
Show Stats Expand all files Collapse all files

142
nixbld-etc-nixos/configuration.nix
View File

@ -92,6 +92,7 @@ in
allowedTCPPorts = [ 53 80 443 2222 7402 ];
allowedUDPPorts = [ 53 67 500 4500 ];
trustedInterfaces = [ netifLan ];
logRefusedConnections = false;
};
useDHCP = false;
interfaces."${netifWan}".useDHCP = true; # PCCW - always wants active DHCP lease or cuts you off
@ -227,6 +228,29 @@ in
}
];
};
greTunnels.intl0 = {
dev = netifWan;
remote = "5.78.16.0";
local = "94.190.212.123";
ttl = 255;
type = "tun";
};
interfaces.intl0 = {
ipv4.addresses = [
{
address = "10.47.3.2";
prefixLength = 30;
}
];
ipv4.routes = [
{
address = "0.0.0.0";
prefixLength = 0;
via = "10.47.3.0";
options.table = "3";
}
];
};
vlans = {
"${netifAltVlan}" = {
id = 2;
@ -279,6 +303,27 @@ in
after = [ "network-addresses-${netifAlt}.service" ];
requires = [ "network-addresses-${netifAlt}.service" ];
};
services.strongswan-swanctl.swanctl.connections.intl = {
local_addrs = [ "94.190.212.123" ];
remote_addrs = [ "5.78.16.0" ];
local.main = {
auth = "pubkey";
id = "fqdn:m-labs.hk";
pubkeys = [ "/etc/swanctl/pubkey/m-labs.hk" ];
};
remote.main = {
auth = "pubkey";
id = "fqdn:m-labs-intl.com";
pubkeys = [ "/etc/swanctl/pubkey/m-labs-intl.com" ];
};
children.intl0 = {
mode = "transport";
ah_proposals = [ "sha256-curve25519" ];
remote_ts = [ "5.78.16.0[gre]" ];
local_ts = [ "94.190.212.123[gre]" ];
start_action = "start";
};
};
systemd.services.network-custom-route-backup = {
wantedBy = [ "network.target" ];
@ -298,6 +343,15 @@ in
ExecStop = "${pkgs.iproute2}/bin/ip rule del table 1";
};
};
systemd.services.network-custom-route-intl = {
wantedBy = [ "network.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "${pkgs.iproute2}/bin/ip rule add from 10.47.3.0/30 table 3";
ExecStop = "${pkgs.iproute2}/bin/ip rule del table 3";
};
};
# https://kb.isc.org/docs/dnssec-key-and-signing-policy
# chown named.named /etc/nixos/named
@ -511,10 +565,23 @@ in
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
wget vim git file lm_sensors acpi pciutils psmisc nixops_unstable_minimal
irssi tmux usbutils imagemagick jq zip unzip
lm_sensors
acpi
usbutils
pciutils
iw
nvme-cli
smartmontools
psmisc
wget
vim
git
file
imagemagick
jq
nixops_unstable_minimal
borgbackup
bind
waypipe
@ -544,6 +611,7 @@ in
services.openssh.settings.X11Forwarding = true;
services.openssh.authorizedKeysInHomedir = false;
programs.mosh.enable = true;
programs.tmux.enable = true;
programs.fish.enable = true;
programs.zsh.enable = true;
@ -594,6 +662,7 @@ in
# https://github.com/NixOS/nixpkgs/issues/155357
security.sudo.enable = true;
# M-Labs HK
users.extraUsers.sb = {
isNormalUser = true;
extraGroups = ["lp" "scanner" "afws" "audio"];
@ -603,22 +672,6 @@ in
];
shell = pkgs.fish;
};
users.extraUsers.rj = {
isNormalUser = true;
extraGroups = ["afws"];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC27krR8G8Pb59YuYm7+X2mmNnVdk/t9myYgO8LH0zfb2MeeXX5+90nW9kMjKflJss/oLl8dkD85jbJ0fRbRkfJd20pGCqCUuYAbYKkowigFVEkbrbWSLkmf+clRjzJOuBuUA0uq0XKS17uMC3qhu+dDdBOAIKb3L83NfVE8p8Pjb4BPktQrdxefM43/x4jTMuc7tgxVmTOEge3+rmVPK2GnLkUBgBn8b6S+9ElPd63HXI5J5f61v21l5N9V0mhTu1pv6PiDRdFIlFDK9dLVZcZ2qlzpKmCnFrOoreBEgre44SpfFe5/MMItxvWiVsj/rij/rHZZiol1k7JiQCnEHeCCbjjvcBBka5HxZgcb3vBZVceTOawrmjbdbA2dq35sUptz/bEgdZ1UVCmVpWsdROAlEDBmSSbcVwxzcvhoKnkpbuP4Q0V3tVKSLW053ADFNB4frtwY5nAZfsVErFLLphjwb8nlyJoDRNapQrn5syEiW0ligX2AAskZTYIl2A5AYyWPrmX6HJOPqZGatMU3qQiRMxs+hFqhyyCmBgl0kcsgW09MBKtJWk1Fbii98MHqgRUN9R7AUiYy5p78Pnv9DC8DT8Ubl9zoP0g5d40P9NGK2LAhMxLXvtckJ4ERqbSEcNZJw+q4jBrOHnMTz+NLdAUiEtru+6T2OdhaHv+eiNlFQ== robert-jordens-rsa4096"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUdbne3NtIG+iy/jer76/OY+IksuS3BDLSXPnWrGejWnig9h+L6sUV0lEVI6dqp+W/b8jWqPB8nh5S0NZsCd3Ta3Go82k/SPPkh9lB2PpfquhCjLnmC/RNc3TgC4FuiS+NZHqXaTggYHubNwEK+8gynMqkMQXjOGU02U0CtUfsYdAm75AW60DySZCRNwOcU0Ndpn1UCpha7fL1k179Dd/OtArkYsIL24ohlfxFeOB3jGYQK6ATmzbvCRjwIKXcyECuajWwfnDg9FtDWrqHNzu5dJlvmxoWm8zCDgMj53uiA7TjujQN81MYrIJNeEwSr5jXQMqzA3mzlk4k3Z0qs3TP robert-jordens-64FEFBAF-4D0749B2-rsa2048"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMUaB2G1jexxfkdlly3fdWslH54/s/bOuvk9AxqpjtAY robert-jordens-ed25519"
];
};
users.extraUsers.nkrackow = {
isNormalUser = true;
extraGroups = ["afws"];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBNsAtZdp0BMvw0rRpMDgJ0V9hqB/BVSyhZ3m8LEx0im939ya6Urmlz3x7+RilD1LMl/p4B1Yxt+z/w7J5NB7unTYlKigJr/s9aH/0IKCFRvO5Omw88k3tWCCRA9KbbXAh0OE/Kli09rrgRuB6++c+XBZ4IvFvohfML0eAjdofn6ePnLWt+R/RNvNjmSb5y7rSIbJ9t+B7O1QOr7u+1GgZEexhG79o52I4rsrgyhUJOK4FbDGPnIkFYFeB2alijzbM1bAu9GR6BD4HBoqeW+DF7tUZs8GYtJsBX8rMnzuR3t8pM7RcGjY5IHQM9MM5WpHokJCFNSSzrvFgbK7CBFklOtipo1H1fwOuDuT3sCE3/ZTK5UgfKGdsb+vsvZub7KBNXfgru2webpl/rLcDJpn3eSDX/ZMGXVV8zskteQHtakra52bc2IeFaPiE1V+WeUB/LpIvRWG+Eh1VEgbUcjoVkaIBu6tQflW7US3uCGYan9Hw80MkwxAmqY1pogAJgzxsYbqdcNb8Xrra6LYFeMD8HXKdW9sXh7mzxDwwkzqjXCKPavWPT7ujicTRlJC6TfmZTdZUPh2mjvzUZI9ZPr50hkV0EAdERn57HwPGMlHiOCntPI/Jw3XmZXIOxChkyss5YFF5mWIzYOp5YxWBlWusNpnMeZCk2ncJmdXcAd6GzQ=="
];
};
users.extraUsers.spaqin = {
isNormalUser = true;
extraGroups = ["lp" "afws"];
@ -640,6 +693,8 @@ in
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBDXMbJEPn0mM2Bgt6eMAd+c0J5oPSvquZG+BxKdUf0qbeQldRaoB26NHMZnLte/fS00U/cqStLWDiwtEvH5WlbbawsMBymm65zbWMByebXhBDjdr6a1kkOFcKJvAL9qVBQ=="
];
};
# M-Labs PH
users.extraUsers.flo = {
isNormalUser = true;
extraGroups = ["afws"];
@ -647,6 +702,33 @@ in
"ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF4ZYNBYqJPQCKBYjMatFj5eGMyzh/X2TSraJEG6XBdg3jnJ3WcsOd7sm+vx+o9Y1EJ2kvwW/Vy9c3OYVU2U45njox//sKtt8Eyzszws3EYJqHQ6KAwXtW9ao4aamRtK3Q=="
];
};
# QUARTIQ
users.extraUsers.rj = {
isNormalUser = true;
extraGroups = ["afws"];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC27krR8G8Pb59YuYm7+X2mmNnVdk/t9myYgO8LH0zfb2MeeXX5+90nW9kMjKflJss/oLl8dkD85jbJ0fRbRkfJd20pGCqCUuYAbYKkowigFVEkbrbWSLkmf+clRjzJOuBuUA0uq0XKS17uMC3qhu+dDdBOAIKb3L83NfVE8p8Pjb4BPktQrdxefM43/x4jTMuc7tgxVmTOEge3+rmVPK2GnLkUBgBn8b6S+9ElPd63HXI5J5f61v21l5N9V0mhTu1pv6PiDRdFIlFDK9dLVZcZ2qlzpKmCnFrOoreBEgre44SpfFe5/MMItxvWiVsj/rij/rHZZiol1k7JiQCnEHeCCbjjvcBBka5HxZgcb3vBZVceTOawrmjbdbA2dq35sUptz/bEgdZ1UVCmVpWsdROAlEDBmSSbcVwxzcvhoKnkpbuP4Q0V3tVKSLW053ADFNB4frtwY5nAZfsVErFLLphjwb8nlyJoDRNapQrn5syEiW0ligX2AAskZTYIl2A5AYyWPrmX6HJOPqZGatMU3qQiRMxs+hFqhyyCmBgl0kcsgW09MBKtJWk1Fbii98MHqgRUN9R7AUiYy5p78Pnv9DC8DT8Ubl9zoP0g5d40P9NGK2LAhMxLXvtckJ4ERqbSEcNZJw+q4jBrOHnMTz+NLdAUiEtru+6T2OdhaHv+eiNlFQ== robert-jordens-rsa4096"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUdbne3NtIG+iy/jer76/OY+IksuS3BDLSXPnWrGejWnig9h+L6sUV0lEVI6dqp+W/b8jWqPB8nh5S0NZsCd3Ta3Go82k/SPPkh9lB2PpfquhCjLnmC/RNc3TgC4FuiS+NZHqXaTggYHubNwEK+8gynMqkMQXjOGU02U0CtUfsYdAm75AW60DySZCRNwOcU0Ndpn1UCpha7fL1k179Dd/OtArkYsIL24ohlfxFeOB3jGYQK6ATmzbvCRjwIKXcyECuajWwfnDg9FtDWrqHNzu5dJlvmxoWm8zCDgMj53uiA7TjujQN81MYrIJNeEwSr5jXQMqzA3mzlk4k3Z0qs3TP robert-jordens-64FEFBAF-4D0749B2-rsa2048"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMUaB2G1jexxfkdlly3fdWslH54/s/bOuvk9AxqpjtAY robert-jordens-ed25519"
];
};
users.extraUsers.nkrackow = {
isNormalUser = true;
extraGroups = ["afws"];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBNsAtZdp0BMvw0rRpMDgJ0V9hqB/BVSyhZ3m8LEx0im939ya6Urmlz3x7+RilD1LMl/p4B1Yxt+z/w7J5NB7unTYlKigJr/s9aH/0IKCFRvO5Omw88k3tWCCRA9KbbXAh0OE/Kli09rrgRuB6++c+XBZ4IvFvohfML0eAjdofn6ePnLWt+R/RNvNjmSb5y7rSIbJ9t+B7O1QOr7u+1GgZEexhG79o52I4rsrgyhUJOK4FbDGPnIkFYFeB2alijzbM1bAu9GR6BD4HBoqeW+DF7tUZs8GYtJsBX8rMnzuR3t8pM7RcGjY5IHQM9MM5WpHokJCFNSSzrvFgbK7CBFklOtipo1H1fwOuDuT3sCE3/ZTK5UgfKGdsb+vsvZub7KBNXfgru2webpl/rLcDJpn3eSDX/ZMGXVV8zskteQHtakra52bc2IeFaPiE1V+WeUB/LpIvRWG+Eh1VEgbUcjoVkaIBu6tQflW7US3uCGYan9Hw80MkwxAmqY1pogAJgzxsYbqdcNb8Xrra6LYFeMD8HXKdW9sXh7mzxDwwkzqjXCKPavWPT7ujicTRlJC6TfmZTdZUPh2mjvzUZI9ZPr50hkV0EAdERn57HwPGMlHiOCntPI/Jw3XmZXIOxChkyss5YFF5mWIzYOp5YxWBlWusNpnMeZCk2ncJmdXcAd6GzQ=="
];
};
users.extraUsers.eduardotenholder = {
isNormalUser = true;
extraGroups = ["afws"];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIu6yhjCoZ62eamYrAXtFefDhplTRUIdD4tncwlkyAEH"
];
};
# HKUST
users.extraUsers.derppening = {
isNormalUser = true;
openssh.authorizedKeys.keys = [
@ -1150,7 +1232,6 @@ in
enable = true;
package = pkgs.callPackage ./flarum {};
domain = "forum.m-labs.hk";
createDatabaseLocally = true;
};
services.rt = {
@ -1179,6 +1260,18 @@ in
};
};
environment.etc."postfix/sender_relay".text = ''
m-labs-intl.com smtptun:
* :
'';
systemd.services.postfix-rebuild-sender-relay = {
description = "Postfix Rebuild Sender Dependent Relayhost Maps";
serviceConfig = {
ExecStart = "${pkgs.postfix}/sbin/postmap /etc/postfix/sender_relay";
};
wantedBy = [ "multi-user.target" ];
};
mailserver = {
enable = true;
localDnsResolver = false; # conflicts with dnsmasq
@ -1187,8 +1280,17 @@ in
enablePop3 = true;
enablePop3Ssl = true;
certificateScheme = "acme-nginx";
policydSPFExtraConfig = "skip_addresses = 5.78.86.156,2a01:4ff:1f0:83de::1";
} // (import /etc/nixos/secret/email_settings.nix);
services.postfix = {
config = {
sender_dependent_relayhost_maps = "hash:/etc/postfix/sender_relay";
masterConfig.smtptun = {
type = "smtp";
command = "smtp";
args = "-o smtp_bind_address=10.47.3.2";
};
};
};
services.roundcube = {
enable = true;
hostName = "mail.m-labs.hk";

3
nixbld-etc-nixos/named/m-labs-intl.com
View File

@ -22,8 +22,7 @@ $TTL 7200
ns A 94.190.212.123
ns AAAA 2001:470:18:390::2
mail A 5.78.86.156
mail AAAA 2a01:4ff:1f0:83de::1
mail A 5.78.16.0
mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJVPuhSGXghO7ib8Em/Se3jfCCIJK5g4zn5pGZ3/e0I0f+zGHMuvwpjkAKf6eSmo/AAXEaco28pDi3qE5xfV512AJsORCfPoPFyNhLsj/qtri6hc5KVSWW0Ja3MSFBINDCaX78c7PXPY+3jJJGpwSBDLjdxj9AQwtfiCVlH4qE/QIDAQAB"
_dmarc TXT "v=DMARC1; p=none"