Berwn
60db8c60b0
Deliver cnx.email DMARC aggregate/forensic reports to a dedicated dmarc@cnx.email mailbox on mx1 and analyze them with parsedmarc on control, storing parsed reports in a local loopback Elasticsearch and visualizing via the auto-provisioned Grafana dashboard. parsedmarc fetches the mailbox over IMAPS across the mesh (mx1.cnx.email pinned to its mesh address so TLS still validates), using a shared mail-dmarc-cred clan var so mx1's mailserver and control see the same password.
35 lines
995 B
Nix
35 lines
995 B
Nix
{ config, ... }:
|
|
let
|
|
hosts = import ../../modules/hosts.nix;
|
|
in
|
|
{
|
|
imports = [
|
|
../../modules/hetzner-firewall.nix
|
|
../../modules/static-ipv6.nix
|
|
../../modules/monitoring/exporters.nix
|
|
../../modules/monitoring/server.nix
|
|
../../modules/monitoring/blackbox.nix
|
|
../../modules/monitoring/alerts.nix
|
|
../../modules/monitoring/parsedmarc.nix
|
|
../../modules/docs.nix
|
|
];
|
|
|
|
clan.core.sops.defaultGroups = [ "admins" ];
|
|
|
|
# Public IPv6 (from modules/hosts.nix); SLAAC doesn't bring it up here.
|
|
cnx.staticIPv6 = {
|
|
enable = true;
|
|
address = hosts.${config.networking.hostName}.ipv6;
|
|
};
|
|
|
|
time.timeZone = "Etc/GMT-3"; # UTC+3 (fixed offset, no DST)
|
|
services.timesyncd.enable = true;
|
|
|
|
# Public Hetzner Cloud firewalls, synced from this config on every deploy.
|
|
# Rules live in their own data file; see that file for the no-public-SSH note.
|
|
cnx.hetznerFirewall = {
|
|
enable = true;
|
|
firewalls = import ../../modules/hetzner-firewall-rules.nix;
|
|
};
|
|
}
|