Fix(system/mail): Only accept connections on safe ports

It is sort of standard to ignore connections over the unencrypted port
25, thus we are doing the same.

3 files changed, 15 insertions, 2 deletions

diff --git a/system/mail/default.nix b/system/mail/default.nix
index 8eaa53b..7102958 100644
--- a/system/mail/default.nix
+++ b/system/mail/default.nix
@@ -30,13 +30,11 @@ in {
     "admin@vhack.eu" = all_admins;
   };
 
-
   mailDirectory = "/srv/mail/vmail";
   dkimKeyDirectory = "/srv/mail/dkim";
   sieveDirectory = "/srv/mail/sieve";
   backup.snapshotRoot = "/srv/mail/backup";
 
-
   enableImap = false;
   enableImapSsl = true;
   enablePop3 = false;
@@ -44,8 +42,10 @@ in {
   # SMTP
   enableSubmission = false;
   enableSubmissionSsl = true;
+  openFirewall = false; # handled below
 
   keyFile = "/var/lib/acme/server1.vhack.eu/key.pem";
   certificateScheme = 1;
   certificateFile = "/var/lib/acme/server1.vhack.eu/fullchain.pem";
+
 }
diff --git a/system/services/default.nix b/system/services/default.nix
index acf20f5..4c39b8b 100644
--- a/system/services/default.nix
+++ b/system/services/default.nix
@@ -1,6 +1,8 @@
 {config, ...}: {
   imports = [
     ./acme
+    ./firewall
+    ./minecraft
     ./nginx
     ./nix
     ./opensshd
diff --git a/system/services/firewall/default.nix b/system/services/firewall/default.nix
new file mode 100644
index 0000000..23dbcc4
--- /dev/null
+++ b/system/services/firewall/default.nix
@@ -0,0 +1,11 @@
+# vim: ts=2
+{...}: {
+  networking.firewall = {
+    allowedTCPPorts = [
+      # for mail protocols:
+      465 # SMTP SSL
+      995 # POP3 SSL
+      993 # IMAP SSL
+    ];
+  };
+}