diff --git a/flake.lock b/flake.lock index 3968408..3ceae14 100644 --- a/flake.lock +++ b/flake.lock @@ -173,11 +173,11 @@ ] }, "locked": { - "lastModified": 1767556355, - "narHash": "sha256-RDTUBDQBi9D4eD9iJQWtUDN/13MDLX+KmE+TwwNUp2s=", + "lastModified": 1767702900, + "narHash": "sha256-xMzHmNytl7JgFRov2jHf2GYsLVp/sAfYO0JvbZt0uDo=", "owner": "nix-community", "repo": "home-manager", - "rev": "f894bc4ffde179d178d8deb374fcf9855d1a82b7", + "rev": "38e187fd2f9efac197e03be0c25f3ee215974144", "type": "github" }, "original": { @@ -410,11 +410,11 @@ "nixpkgs": "nixpkgs_3" }, "locked": { - "lastModified": 1767502237, - "narHash": "sha256-rRrn9I4H692troUl5pBtE3Y5mG2msSMU/2ro7+ZQrFM=", + "lastModified": 1767568852, + "narHash": "sha256-6s8hL3YX9zAq2T7qvcwwzaEVwc9MEYbW+C2LcAAQfbk=", "owner": "0xc000022070", "repo": "zen-browser-flake", - "rev": "e3efa5e2b53982f985044062c98426ec75d6695b", + "rev": "350c729b261e6f5529460140a5f0943dd4c5e156", "type": "github" }, "original": { diff --git a/hosts/zora/networking.nix b/hosts/zora/networking.nix index 0bfcbe9..c63249b 100644 --- a/hosts/zora/networking.nix +++ b/hosts/zora/networking.nix @@ -50,4 +50,22 @@ }; }; }; + + # Imposing a bandwidth limit to avoid Aurore/Crans disruptions + networking.nftables = { + tables.rate_limit = { + name = "rate_limit"; + family = "inet"; + enable = true; + content = '' + limit lim { rate over 20 mbytes/second burst 40 mbytes ; comment "use to limit taffic" ; } + + chain IN { + type filter hook input priority filter; policy drop; + tcp dport 80 limit name "lim" accept + tcp dport 443 limit name "lim" accept + } + ''; + }; + }; } diff --git a/modules/server/default.nix b/modules/server/default.nix index e9429ac..bb7e349 100644 --- a/modules/server/default.nix +++ b/modules/server/default.nix @@ -22,6 +22,8 @@ ''; }; + networking.nftables.enable = true; + environment.systemPackages = with pkgs; [ mdadm ]; diff --git a/modules/server/maistro/default.nix b/modules/server/maistro/default.nix index a3a70a7..b1aef17 100644 --- a/modules/server/maistro/default.nix +++ b/modules/server/maistro/default.nix @@ -3,7 +3,8 @@ { virtualisation.incus.enable = true; virtualisation.incus.ui.enable = true; - networking.nftables.enable = true; + # Enabled on server as a whole + # networking.nftables.enable = true; networking.firewall.trustedInterfaces = [ "incusbr0" ]; virtualisation.incus.preseed = { networks = [ diff --git a/modules/server/taf/default.nix b/modules/server/taf/default.nix index 1e98e92..5c968b8 100644 --- a/modules/server/taf/default.nix +++ b/modules/server/taf/default.nix @@ -79,18 +79,12 @@ # Crans Nounou elsif anyof ( header :contains "List-Id" "", - header :contains "List-Id" "" + header :contains "List-Id" "", + address :is :all "To" "contact@crans.org", + address :is :all "From" "contact@crans.org" ) { fileinto :create "Crans.crans.nounou"; } - # Crans Root - elsif anyof ( - address :is :all "To" "root@crans.org", - address :is :all "From" "root@crans.org", - address :is :all "From" "www-data@crans.org" - ) { - fileinto :create "Crans.crans.root"; - } # Crans Root Postmaster elsif address :is :all "To" "postmaster@crans.org" { addflag "\\Seen"; @@ -100,6 +94,14 @@ elsif address :is :all "From" "MAILER-DAEMON@crans.org" { fileinto :create "Crans.crans.root.mailer"; } + # Crans Root + elsif anyof ( + address :is :all "To" "root@crans.org", + address :is :all "From" "root@crans.org", + address :is :all "From" "www-data@crans.org" + ) { + fileinto :create "Crans.crans.root"; + } # Crans Gitlab elsif address :is :all "From" "gitlab@crans.org" { fileinto :create "Crans.crans.gitlab"; @@ -179,7 +181,7 @@ # "@lyes.eu" = "lyes@mail.lyes.eu"; # }; - # certificateScheme = "acme-nginx"; + x509.useACMEHost = config.mailserver.fqdn; }; # services.dovecot2.extraConfig = ''