B4L/cnx-network-clan
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9c4e036b090ae1c5e56e22cf3a5d7c394aa9eb41
cnx-network-clan/modules/hetzner-firewall-rules.nix
T
Berwn 1cb6f39ea2 Add declarative SNM mail stack on mx1 with DNS-01, DANE, MTA-STS 
mx1 runs Simple NixOS Mailserver (Postfix/Dovecot/Rspamd/OpenDKIM) for
cnx.email. The TLS cert is obtained via ACME DNS-01 using a dedicated,
scoped TSIG key (acme_mx1) that ns1 authorizes for only
_acme-challenge.mx1 and _acme-challenge.mta-sts on the cnx.email zone, so
the credential can write nothing else. Mailbox passwords are auto-minted
by a clan vars generator (four-word passphrase + number).

DANE TLSA (3 1 1) is published for _25._tcp.mx1; --reuse-key keeps the
key digest stable across renewals. MTA-STS is enforced via a Caddy vhost
serving the policy on :443 from the same cert (mta-sts SAN). Firewall
opens 25/587/465/143/993/443; 80 stays closed.
2026-06-18 14:47:20 +07:00

78 lines
1.8 KiB
Nix
Raw Blame History

# Hetzner Cloud firewall rules, keyed by firewall name. Imported by
# machines/control/configuration.nix and fed to cnx.hetznerFirewall.firewalls.
#
# Public SSH (22) is intentionally absent: admin access rides the ZeroTier mesh
# (inside UDP 9993), with emergency-access as the console fallback.
let
world = [
"0.0.0.0/0"
"::/0"
];
zerotier = {
direction = "in";
protocol = "udp";
port = "9993";
source_ips = world;
description = "ZeroTier";
};
ping = {
direction = "in";
protocol = "icmp";
source_ips = world;
description = "ICMP (ping / PMTUD)";
};
# Public mail ports for mx1 (MX for cnx.email). 25 is server-to-server
# delivery; 587/465 are client submission; 143/993 are IMAP. 443 serves only the
# MTA-STS policy (https://mta-sts.cnx.email/.well-known/mta-sts.txt); the cert
# itself uses ACME DNS-01 so port 80 stays closed. Admin still rides the mesh.
mailPort = port: description: {
direction = "in";
protocol = "tcp";
inherit port;
source_ips = world;
inherit description;
};
mailRules = [
(mailPort "25" "SMTP (inbound mail)")
(mailPort "587" "Submission (STARTTLS)")
(mailPort "465" "Submission (implicit TLS)")
(mailPort "143" "IMAP (STARTTLS)")
(mailPort "993" "IMAP (implicit TLS)")
(mailPort "443" "MTA-STS policy (HTTPS)")
];
dnsRules = [
{
direction = "in";
protocol = "udp";
port = "53";
source_ips = world;
description = "DNS (UDP)";
}
{
direction = "in";
protocol = "tcp";
port = "53";
source_ips = world;
description = "DNS (TCP)";
}
zerotier
ping
];
in
{
"clan-control" = [
zerotier
ping
];
"clan-ns1" = dnsRules;
"clan-ns2" = dnsRules;
"clan-mx1" = mailRules ++ [
zerotier
ping
];
}
Reference in New Issue View Git Blame Copy Permalink