Just allow access to inet
This commit is contained in:
parent
fd683bb7e6
commit
0e543134a8
113
mail-server.nix
113
mail-server.nix
|
|
@ -188,40 +188,41 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
xinetd = {
|
## No...these ports were already open
|
||||||
enable = true;
|
# xinetd = {
|
||||||
services = let
|
# enable = true;
|
||||||
genService = { name, port, protocols ? [ "tcp" ] }:
|
# services = let
|
||||||
map (protocol: {
|
# genService = { name, port, protocols ? [ "tcp" ] }:
|
||||||
inherit name;
|
# map (protocol: {
|
||||||
server = "/usr/bin/env";
|
# inherit name;
|
||||||
extraConfig = "redirect = 127.0.0.1 ${toString port}";
|
# server = "/usr/bin/env";
|
||||||
}) protocols;
|
# extraConfig = "redirect = 127.0.0.1 ${toString port}";
|
||||||
in concatMap genService [
|
# }) protocols;
|
||||||
{
|
# in concatMap genService [
|
||||||
name = "imap";
|
# {
|
||||||
port = 9143;
|
# name = "imap";
|
||||||
}
|
# port = 9143;
|
||||||
{
|
# }
|
||||||
name = "imaps";
|
# {
|
||||||
port = 9993;
|
# name = "imaps";
|
||||||
}
|
# port = 9993;
|
||||||
{
|
# }
|
||||||
name = "smtp";
|
# {
|
||||||
port = 9025;
|
# name = "smtp";
|
||||||
protocols = [ "tcp" "udp" ];
|
# port = 9025;
|
||||||
}
|
# protocols = [ "tcp" "udp" ];
|
||||||
{
|
# }
|
||||||
name = "submission";
|
# {
|
||||||
port = 9587;
|
# name = "submission";
|
||||||
protocols = [ "tcp" "udp" ];
|
# port = 9587;
|
||||||
}
|
# protocols = [ "tcp" "udp" ];
|
||||||
{
|
# }
|
||||||
name = "submissions";
|
# {
|
||||||
port = 9465;
|
# name = "submissions";
|
||||||
}
|
# port = 9465;
|
||||||
];
|
# }
|
||||||
};
|
# ];
|
||||||
|
# };
|
||||||
};
|
};
|
||||||
|
|
||||||
fudo.secrets.host-secrets."${hostname}" = {
|
fudo.secrets.host-secrets."${hostname}" = {
|
||||||
|
|
@ -259,10 +260,10 @@ in {
|
||||||
virtualisation.arion.projects.mail-server.settings = let
|
virtualisation.arion.projects.mail-server.settings = let
|
||||||
image = { pkgs, ... }: {
|
image = { pkgs, ... }: {
|
||||||
project.name = "mail-server";
|
project.name = "mail-server";
|
||||||
networks = {
|
# networks = {
|
||||||
external_network.internal = false;
|
# external_network.internal = false;
|
||||||
internal_network.internal = true;
|
# internal_network.internal = true;
|
||||||
};
|
# };
|
||||||
services = let
|
services = let
|
||||||
antivirusPort = 15407;
|
antivirusPort = 15407;
|
||||||
antispamPort = 11335;
|
antispamPort = 11335;
|
||||||
|
|
@ -275,11 +276,11 @@ in {
|
||||||
in {
|
in {
|
||||||
smtp = {
|
smtp = {
|
||||||
service = {
|
service = {
|
||||||
networks = [
|
# networks = [
|
||||||
"internal_network"
|
# "internal_network"
|
||||||
# Needs access to internet to forward emails
|
# # Needs access to internet to forward emails
|
||||||
"external_network"
|
# "external_network"
|
||||||
];
|
# ];
|
||||||
volumes = [
|
volumes = [
|
||||||
"${hostSecrets.dovecotLdapConfig.target-file}:/run/dovecot2/conf.d/ldap.conf:ro"
|
"${hostSecrets.dovecotLdapConfig.target-file}:/run/dovecot2/conf.d/ldap.conf:ro"
|
||||||
"${cfg.smtp.ssl-directory}:/run/certs/smtp"
|
"${cfg.smtp.ssl-directory}:/run/certs/smtp"
|
||||||
|
|
@ -338,7 +339,7 @@ in {
|
||||||
};
|
};
|
||||||
imap = {
|
imap = {
|
||||||
service = {
|
service = {
|
||||||
networks = [ "internal_network" ];
|
# networks = [ "internal_network" ];
|
||||||
ports = [ "9143:143" "9993:993" ];
|
ports = [ "9143:143" "9993:993" ];
|
||||||
volumes = [
|
volumes = [
|
||||||
"${cfg.state-directory}/dovecot:/state"
|
"${cfg.state-directory}/dovecot:/state"
|
||||||
|
|
@ -382,11 +383,11 @@ in {
|
||||||
ldap-proxy.service = {
|
ldap-proxy.service = {
|
||||||
image = cfg.images.ldap-proxy;
|
image = cfg.images.ldap-proxy;
|
||||||
restart = "always";
|
restart = "always";
|
||||||
networks = [
|
# networks = [
|
||||||
"internal_network"
|
# "internal_network"
|
||||||
# Needs access to external network for user lookups
|
# # Needs access to external network for user lookups
|
||||||
"external_network"
|
# "external_network"
|
||||||
];
|
# ];
|
||||||
env_file = [ hostSecrets.mailLdapProxyEnv.target-file ];
|
env_file = [ hostSecrets.mailLdapProxyEnv.target-file ];
|
||||||
};
|
};
|
||||||
antispam = {
|
antispam = {
|
||||||
|
|
@ -422,11 +423,11 @@ in {
|
||||||
};
|
};
|
||||||
antivirus = {
|
antivirus = {
|
||||||
service = {
|
service = {
|
||||||
networks = [
|
# networks = [
|
||||||
"internal_network"
|
# "internal_network"
|
||||||
# Needs external access for database updates
|
# # Needs external access for database updates
|
||||||
"external_network"
|
# "external_network"
|
||||||
];
|
# ];
|
||||||
volumes = [ "${cfg.state-directory}/antivirus:/state" ];
|
volumes = [ "${cfg.state-directory}/antivirus:/state" ];
|
||||||
};
|
};
|
||||||
nixos = {
|
nixos = {
|
||||||
|
|
@ -445,7 +446,7 @@ in {
|
||||||
};
|
};
|
||||||
dkim = {
|
dkim = {
|
||||||
service = {
|
service = {
|
||||||
networks = [ "internal_network" ];
|
# networks = [ "internal_network" ];
|
||||||
volumes = [ "${cfg.state-directory}/dkim:/state" ];
|
volumes = [ "${cfg.state-directory}/dkim:/state" ];
|
||||||
};
|
};
|
||||||
nixos = {
|
nixos = {
|
||||||
|
|
@ -466,7 +467,7 @@ in {
|
||||||
};
|
};
|
||||||
metrics-proxy = {
|
metrics-proxy = {
|
||||||
service = {
|
service = {
|
||||||
networks = [ "internal_network" ];
|
# networks = [ "internal_network" ];
|
||||||
ports = [ "${toString cfg.metrics-port}:80" ];
|
ports = [ "${toString cfg.metrics-port}:80" ];
|
||||||
depends_on = [ "smtp" "imap" "antispam" ];
|
depends_on = [ "smtp" "imap" "antispam" ];
|
||||||
};
|
};
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue