mailhost() {
[[ $HOSTNAME == "$MAIL_HOST" ]]
}
+serverp() {
+ case $HOSTNAME in
+ li|bk|je)
+ return true
+ ;;
+ esac
+ return false
+}
+nn-hostp() {
+ case $HOSTNAME in
+ li|je)
+ return false
+ ;;
+ esac
+ return true
+}
+
reifactive() {
local service
for service; do
# there are no modifications to iptables rules on a succsfull run,
# and
+
vpnser=wg-quick@wgmail.service
case $HOSTNAME in
fi
fi
-
-
-case $HOSTNAME in
- $MAIL_HOST)
- # todo, should this be after vpn service
- u /etc/systemd/system/unbound.service.d/nn.conf <<EOF
+if ! serverp; then
+ # note: this config is only needed for MAIL_HOST, but it doesn't hurt
+ # and avoids reloading systemd.
+ #
+ # todo, should this be after vpn service?
+ u /etc/systemd/system/unbound.service.d/nn.conf <<EOF
[Unit]
After=mailnn.service
JoinsNamespaceOf=mailnn.service
Restart=always
RestartSec=20
EOF
+fi
- # sooo, there are a few ways to get traffic from the mail network
- # namespace to go over the wghole.
- #
- #1: unify the mail vpn and wghole
- # into 1 network. this seems simple and logical, so I'm doing it.
- # One general downside is tying things together, if I need to mess
- # with one thing, it breaks the other. Oh well for now.
- #
- # 2. We can route 10.5.3.0/24 out of the mail nn and nat it into wghole.
- #
- # 3. We can setup the routing to happen on li, which seemed like I
- # just needed to add 10.8.0.4/24 to AllowedIPs in at least the
- # wghole clients, but I think that is kind of hacky and breaks ipv4
- # routing within the mailvpn, it happened to work just because exim
- # prefers ipv6 and that was also available in the mailvpn.
- #
- # 4. Put the hole interface into the mail network namespace. This
- # doesn't work if the mail vpn is wg. For openvpn, it bypasses the
- # vpn routing and establishes a direct connection. I only use the
- # hole vpn for randomish things, it should be fine to join the mail
- # nn for that. There should be some way to fix the routing issue
- # by doing manual routing, but that doesn't seem like a good use of time.
- # relevant:
- # https://www.wireguard.com/netns/#
- #
- # for wireguard debugging
- # echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control
- # dmesg -w
+# sooo, there are a few ways to get traffic from the mail network
+# namespace to go over the wghole.
+#
+#1: unify the mail vpn and wghole
+# into 1 network. this seems simple and logical, so I'm doing it.
+# One general downside is tying things together, if I need to mess
+# with one thing, it breaks the other. Oh well for now.
+#
+# 2. We can route 10.5.3.0/24 out of the mail nn and nat it into wghole.
+#
+# 3. We can setup the routing to happen on li, which seemed like I
+# just needed to add 10.8.0.4/24 to AllowedIPs in at least the
+# wghole clients, but I think that is kind of hacky and breaks ipv4
+# routing within the mailvpn, it happened to work just because exim
+# prefers ipv6 and that was also available in the mailvpn.
+#
+# 4. Put the hole interface into the mail network namespace. This
+# doesn't work if the mail vpn is wg. For openvpn, it bypasses the
+# vpn routing and establishes a direct connection. I only use the
+# hole vpn for randomish things, it should be fine to join the mail
+# nn for that. There should be some way to fix the routing issue
+# by doing manual routing, but that doesn't seem like a good use of time.
+# relevant:
+# https://www.wireguard.com/netns/#
+#
+# for wireguard debugging
+# echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control
+# dmesg -w
- ;;&
- $MAIL_HOST|bk)
- for unit in ${nn_progs[@]}; do
- u /etc/systemd/system/$unit.service.d/nn.conf <<EOF
+if nn-hostp; then
+ for unit in ${nn_progs[@]}; do
+ u /etc/systemd/system/$unit.service.d/nn.conf <<EOF
[Unit]
# Wants appears better than requires because with requires,
Restart=always
RestartSec=20
EOF
- done
- ;;
- *)
- # note: this does not include unbound, because we don't use unbound
- # as a non-nn service, and we are getting failure in joins-namespace-of-check for unbound,
- # and I wonder if changing its config has anything to do with it.
- for unit in exim4 $spamd_ser $spamd_remove dovecot; do
- f=/etc/systemd/system/$unit.service.d/nn.conf
- if [[ -s $f ]]; then
- rm -fv $f
- reload=true
- fi
- done
- ;;
-esac
+ done
+fi
+
+# We could do this for all hosts but bk and MAIL_HOST. If we did,
+# then we are get failure in joins-namespace-of-check for unbound
+# and mailnnroute when we switch-mail-host. It is a systemd bug, but
+# I realized I have no reason to run these outside of the network
+# namespace, so I will avoid the bug that way.
+
+# for unit in exim4 unbound $spamd_ser $spamd_remove dovecot; do
+# f=/etc/systemd/system/$unit.service.d/nn.conf
+# if [[ -s $f ]]; then
+# rm -fv $f
+# reload=true
+# fi
+# done
# * wghole (another mail vpn)
EOF
fi
+# exim will fail to start without internet connectivity if we tell it
+# to bind to a wireguard interface that is not up. I had this set to
+# only be for bhost_t not MAIL_HOST, but I'm avoiding needlessly
+# causing systemd reloads.
+u /etc/systemd/system/exim4.service.d/backup.conf <<'EOF'
+[Unit]
+StartLimitIntervalSec=0
+
+[Service]
+Restart=always
+RestartSec=20
+EOF
+
+
# * rspamd config
if $use_rspamd; then
dc_local_interfaces='127.0.0.1;::1;$wgholeip'
EOF
- # wghole & thus exim will fail to start without internet connectivity.
- u /etc/systemd/system/exim4.service.d/backup.conf <<'EOF'
-[Unit]
-StartLimitIntervalSec=0
-
-[Service]
-Restart=always
-RestartSec=20
-EOF
else
cat >>/etc/exim4/update-exim4.conf.conf <<EOF
# instead of a permanent 5xx.
dc_local_interfaces='127.0.0.1;::1'
EOF
- rm -fv /etc/systemd/system/exim4.service.d/backup.conf
fi
cat >>/etc/exim4/update-exim4.conf.conf <<EOF
dc_eximconfig_configtype='smarthost'
iankelling.org / git / distro-setup / commitdiff