Updates to the server and first rate limiting attempts

2026-01-06 17:44:17 +01:00 · 2026-01-06 17:44:17 +01:00 · e91c83f572
commit e91c83f572
parent c8a103ea43
4 changed files with 34 additions and 11 deletions
--- a/hosts/zora/networking.nix
+++ b/hosts/zora/networking.nix
@ -50,4 +50,22 @@
      };
    };
  };
+
+  # Imposing a bandwidth limit to avoid Aurore/Crans disruptions
+  networking.nftables = {
+    tables.rate_limit = {
+      name = "rate_limit";
+      family = "inet";
+      enable = true;
+      content = ''
+        limit lim  { rate over 20 mbytes/second burst 1 gbytes ; comment "use to limit taffic" ; }
+
+        chain IN {
+          type filter hook input priority filter; policy drop;
+          tcp dport 80 limit name "lim" accept
+          tcp dport 443 limit name "lim" accept
+        }
+      '';
+    };
+  };
 }
--- a/modules/server/default.nix
+++ b/modules/server/default.nix
@ -22,6 +22,8 @@
    '';
  };

+  networking.nftables.enable = true;
+
  environment.systemPackages = with pkgs; [
    mdadm
  ];
--- a/modules/server/maistro/default.nix
+++ b/modules/server/maistro/default.nix
@ -3,7 +3,8 @@
 {
  virtualisation.incus.enable = true;
  virtualisation.incus.ui.enable = true;
-  networking.nftables.enable = true;
+  # Enabled on server as a whole
+  # networking.nftables.enable = true;
  networking.firewall.trustedInterfaces = [ "incusbr0" ];
  virtualisation.incus.preseed = {
    networks = [
--- a/modules/server/taf/default.nix
+++ b/modules/server/taf/default.nix
@ -79,18 +79,12 @@
              # Crans Nounou
              elsif anyof (
                  header :contains "List-Id" "<nounou.lists.crans.org>",
-                  header :contains "List-Id" "<apprenti-es.lists.crans.org>"
+                  header :contains "List-Id" "<apprenti-es.lists.crans.org>",
+                  address :is :all "To" "contact@crans.org",
+                  address :is :all "From" "contact@crans.org"
                ) {
                fileinto :create "Crans.crans.nounou";
              }
-              # Crans Root
-              elsif anyof (
-                  address :is :all "To" "root@crans.org",
-                  address :is :all "From" "root@crans.org",
-                  address :is :all "From" "www-data@crans.org"
-                ) {
-                fileinto :create "Crans.crans.root";
-              }
              # Crans Root Postmaster
              elsif address :is :all "To" "postmaster@crans.org" {
                addflag "\\Seen";
@ -100,6 +94,14 @@
              elsif address :is :all "From" "MAILER-DAEMON@crans.org" {
                fileinto :create "Crans.crans.root.mailer";
              }
+              # Crans Root
+              elsif anyof (
+                  address :is :all "To" "root@crans.org",
+                  address :is :all "From" "root@crans.org",
+                  address :is :all "From" "www-data@crans.org"
+                ) {
+                fileinto :create "Crans.crans.root";
+              }
              # Crans Gitlab
              elsif address :is :all "From" "gitlab@crans.org" {
                fileinto :create "Crans.crans.gitlab";
@ -179,7 +181,7 @@
    #   "@lyes.eu" = "lyes@mail.lyes.eu";
    # };

-    # certificateScheme = "acme-nginx";
+    x509.useACMEHost = config.mailserver.fqdn;
  };

  # services.dovecot2.extraConfig = ''