Use IPv6 for WG transport to decrease latency by 20%

Signed-off-by: Egor Savkin <es@m-labs.hk>

nixbld-etc-nixos/configuration.nix

@@ -90,7 +90,7 @@ in
     hostId = "e423f012";
     firewall = {
       allowedTCPPorts = [ 53 80 443 2222 7402 ];
-      allowedUDPPorts = [ 53 67 500 4500 ];
+      allowedUDPPorts = [ 53 67 500 4500 51820 ];
       trustedInterfaces = [ netifLan ];
     };
     useDHCP = false;
@@ -246,6 +246,30 @@ in
         }
       ];
     };
+    wireguard.interfaces = {
+      intl0 = {
+        ips = [ "10.42.0.2/30" ];
+        listenPort = 51820;
+        privateKeyFile = "/path/to/private/key"; # just `wg-quick genkey > /path/to/private/key`
+        postUp = ''
+          ${pkgs.iproute2}/bin/ip rule add from 10.42.0.0/30 lookup 51820
+          ${pkgs.iproute2}/bin/ip route add default via 10.42.0.1 dev intl0 table 51820
+        '';
+        preDown = ''
+          ${pkgs.iproute2}/bin/ip rule del from 10.42.0.0/30 lookup 51820
+          ${pkgs.iproute2}/bin/ip route del default via 10.42.0.1 dev intl0 table 51820
+        '';
+        peers = [
+          {
+            publicKey = "4RozbGZ9ENCjvJXGMB5aK1oqyZfD4UCarEHjSckwVGI=";
+            allowedIPs = [ "0.0.0.0/0" ];
+            allowedIPsAsRoutes = false;
+            endpoint = "2a01:4ff:1f0:83de::1:51820";
+            persistentKeepalive = 25;
+          }
+        ];
+      };
+    };
   };
   boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = "1";
   boot.kernel.sysctl."net.ipv6.conf.default.forwarding" = "1";
@@ -1179,6 +1203,18 @@ in
     };
   };
 
+  environment.etc."postfix/sender_relay".text = ''
+      m-labs-intl.com smtptun:
+      * :
+  '';
+  systemd.services.postfix-rebuild-sender-relay = {
+      description = "Postfix Rebuild Sender Dependent Relayhost Maps";
+      serviceConfig = {
+        ExecStart = "${pkgs.postfix}/sbin/postmap /etc/postfix/sender_relay";
+      };
+      wantedBy = [ "multi-user.target" ];
+  };
+
   mailserver = {
     enable = true;
     localDnsResolver = false;  # conflicts with dnsmasq
@@ -1187,8 +1223,17 @@ in
     enablePop3 = true;
     enablePop3Ssl = true;
     certificateScheme = "acme-nginx";
-    policydSPFExtraConfig = "skip_addresses = 5.78.86.156,2a01:4ff:1f0:83de::1";
   } // (import /etc/nixos/secret/email_settings.nix);
+  services.postfix = {
+    config = {
+      sender_dependent_relayhost_maps = "hash:/etc/postfix/sender_relay";
+      masterConfig.smtptun = {
+        type = "smtp";
+        command = "smtp";
+        args = "-o smtp_bind_address=10.42.0.2";
+      };
+    };
+  };
   services.roundcube = {
     enable = true;
     hostName = "mail.m-labs.hk";

nixbld-etc-nixos/named/m-labs-intl.com

@@ -23,7 +23,6 @@ ns						A		94.190.212.123
 ns						AAAA	2001:470:18:390::2
 
 mail					A		5.78.86.156
-mail					AAAA	2a01:4ff:1f0:83de::1
 mail._domainkey			IN	TXT	"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJVPuhSGXghO7ib8Em/Se3jfCCIJK5g4zn5pGZ3/e0I0f+zGHMuvwpjkAKf6eSmo/AAXEaco28pDi3qE5xfV512AJsORCfPoPFyNhLsj/qtri6hc5KVSWW0Ja3MSFBINDCaX78c7PXPY+3jJJGpwSBDLjdxj9AQwtfiCVlH4qE/QIDAQAB"
 _dmarc					TXT		"v=DMARC1; p=none"