From 2873640cbf34cd180878f941a19f6c2e3ffd53f6 Mon Sep 17 00:00:00 2001 From: Alexander Kobjolke Date: Fri, 19 Jan 2024 19:36:33 +0100 Subject: [PATCH 1/4] thrall: Upgrade postfix to prevent SMTP smuggling --- flake.lock | 33 ++++++++++++++++------- flake.nix | 77 +++++++++++++++++++++++++++++------------------------- 2 files changed, 64 insertions(+), 46 deletions(-) diff --git a/flake.lock b/flake.lock index bf57302..7609277 100644 --- a/flake.lock +++ b/flake.lock @@ -279,6 +279,21 @@ "type": "indirect" } }, + "nixpkgs-23_05": { + "locked": { + "lastModified": 1704290814, + "narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-23.05", + "type": "indirect" + } + }, "nixpkgs-droid": { "locked": { "lastModified": 1702350026, @@ -329,11 +344,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1702312524, - "narHash": "sha256-gkZJRDBUCpTPBvQk25G0B7vfbpEYM5s5OZqghkjZsnE=", + "lastModified": 1705316053, + "narHash": "sha256-J2Ey5mPFT8gdfL2XC0JTZvKaBw/b2pnyudEXFvl+dQM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a9bf124c46ef298113270b1f84a164865987a91c", + "rev": "c3e128f3c0ecc1fb04aef9f72b3dcc2f6cecf370", "type": "github" }, "original": { @@ -425,22 +440,20 @@ "flake-compat": "flake-compat", "nixpkgs": "nixpkgs_2", "nixpkgs-22_11": "nixpkgs-22_11", - "nixpkgs-23_05": [ - "nixpkgs" - ], + "nixpkgs-23_05": "nixpkgs-23_05", "utils": "utils_2" }, "locked": { - "lastModified": 1687462267, - "narHash": "sha256-rNSputjn/0HEHHnsKfQ8mQVEPVchcBw7DsbND7Wg8dk=", + "lastModified": 1703666786, + "narHash": "sha256-SLPNpM/rI8XPyVJAxMYAe+n6NiYSpuXvdwPILHP4yZI=", "owner": "simple-nixos-mailserver", "repo": "nixos-mailserver", - "rev": "24128c3052090311688b09a400aa408ba61c6ee5", + "rev": "b5023b36a1f6628865cb42b4353bd2ddde0ea9f4", "type": "gitlab" }, "original": { "owner": "simple-nixos-mailserver", - "ref": "nixos-23.05", + "ref": "master", "repo": "nixos-mailserver", "type": "gitlab" } diff --git a/flake.nix b/flake.nix index e717092..1b9ab49 100644 --- a/flake.nix +++ b/flake.nix @@ -16,8 +16,8 @@ # simple mailserver snm = { - url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.05"; - inputs.nixpkgs-23_05.follows = "nixpkgs"; + url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master"; + # inputs.nixpkgs-23_05.follows = "nixpkgs"; }; nix-on-droid = { @@ -42,41 +42,46 @@ }; }; - outputs = { home-manager, nixpkgs, agenix, snm, ... }@inputs: { - nixosConfigurations."thrall" = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = { inherit inputs; }; - modules = [ - ({ inputs, lib, ... }: { - nixpkgs = { - config.allowUnfree = true; - overlays = with inputs; [ emacs.overlay ]; + outputs = + { home-manager, nixpkgs, nixpkgs-unstable, agenix, snm, ... }@inputs: { + nixosConfigurations."thrall" = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = { inherit inputs; }; + modules = let + postfix-overlay = final: prev: { + postfix = nixpkgs-unstable.legacyPackages."x86_64-linux".postfix; }; - nix.registry = lib.mapAttrs (_: value: { flake = value; }) inputs; - }) - snm.nixosModule - ./modules/security.nix - ./hosts/thrall - agenix.nixosModules.age - home-manager.nixosModules.home-manager - { - home-manager.useGlobalPkgs = true; - home-manager.useUserPackages = true; - home-manager.users.alex = import ./home/cli.nix; - } - ]; - }; - - nixosConfigurations."dregil" = import ./hosts/dregil { inherit inputs; }; - homeConfigurations = import ./outputs/homeConfigurations inputs; - - nixOnDroidConfigurations.default = with inputs; - nix-on-droid.lib.nixOnDroidConfiguration { - modules = [ - ./hosts/redmi - { nix.registry.nixpkgs.flake = nixpkgs-droid; } - { nix.nixPath = [ "nixpkgs=${nixpkgs-droid}" ]; } + in [ + ({ inputs, lib, ... }: { + nixpkgs = { + config.allowUnfree = true; + overlays = with inputs; [ emacs.overlay postfix-overlay ]; + }; + nix.registry = lib.mapAttrs (_: value: { flake = value; }) inputs; + }) + snm.nixosModule + ./modules/security.nix + ./hosts/thrall + agenix.nixosModules.age + home-manager.nixosModules.home-manager + { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.users.alex = import ./home/cli.nix; + } ]; }; - }; + + nixosConfigurations."dregil" = import ./hosts/dregil { inherit inputs; }; + homeConfigurations = import ./outputs/homeConfigurations inputs; + + nixOnDroidConfigurations.default = with inputs; + nix-on-droid.lib.nixOnDroidConfiguration { + modules = [ + ./hosts/redmi + { nix.registry.nixpkgs.flake = nixpkgs-droid; } + { nix.nixPath = [ "nixpkgs=${nixpkgs-droid}" ]; } + ]; + }; + }; } From 07177629bc2da4496aa3126a9089d712d0ff59e3 Mon Sep 17 00:00:00 2001 From: Alexander Kobjolke Date: Fri, 19 Jan 2024 20:38:34 +0100 Subject: [PATCH 2/4] thrall: Activate fail2ban for postfix --- hosts/thrall/default.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/hosts/thrall/default.nix b/hosts/thrall/default.nix index ddd9fe2..8ef9c36 100644 --- a/hosts/thrall/default.nix +++ b/hosts/thrall/default.nix @@ -324,6 +324,13 @@ in { maxretry = 5; ignoreIP = [ "127.0.0.0/8" "195.90.211.228/22" "10.0.0.0/8" "192.168.0.0/16" ]; + + jails.postfix = '' + filter = postfix + maxretry = 3 + action = iptables[name=postfix, port=smtp, protocol=tcp] + enabled = true + ''; }; services.syncthing = { From 4d863f6a06355c318aa35aa81848684768f9df0c Mon Sep 17 00:00:00 2001 From: Alexander Kobjolke Date: Fri, 19 Jan 2024 20:39:02 +0100 Subject: [PATCH 3/4] thrall: Increase fail2ban bantime --- hosts/thrall/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hosts/thrall/default.nix b/hosts/thrall/default.nix index 8ef9c36..40d72b6 100644 --- a/hosts/thrall/default.nix +++ b/hosts/thrall/default.nix @@ -322,6 +322,10 @@ in { services.fail2ban = { enable = true; maxretry = 5; + + bantime = "1h"; + bantime-increment.enable = true; + ignoreIP = [ "127.0.0.0/8" "195.90.211.228/22" "10.0.0.0/8" "192.168.0.0/16" ]; From 26e5a0e217e6418190851a1489608e6d2b61f062 Mon Sep 17 00:00:00 2001 From: Alexander Kobjolke Date: Fri, 19 Jan 2024 20:39:39 +0100 Subject: [PATCH 4/4] thrall: Activate repl for flakes --- hosts/thrall/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/thrall/default.nix b/hosts/thrall/default.nix index 40d72b6..0d6b3ad 100644 --- a/hosts/thrall/default.nix +++ b/hosts/thrall/default.nix @@ -14,7 +14,7 @@ in { nix.package = pkgs.nixUnstable; nix.extraOptions = '' - experimental-features = nix-command flakes ca-derivations + experimental-features = nix-command flakes repl-flake ca-derivations ''; # nix.registry.nixpkgs.flake = nixpkgs;