open up samba

This commit is contained in:
Motiejus Jakštys 2023-09-12 16:08:08 +03:00
parent e61944dfde
commit 2dd8cda85a
11 changed files with 35 additions and 32 deletions

View File

@ -89,20 +89,22 @@ rec {
# copied from nixpkgs/lib/attrsets.nix # copied from nixpkgs/lib/attrsets.nix
attrVals = nameList: set: map (x: set.${x}) nameList; attrVals = nameList: set: map (x: set.${x}) nameList;
motiejus_ips = let subnets = {
tailscale = {
cidr = "100.89.176.0/20";
range = "100.89.176.0-100.89.191.255";
sshPattern = "100.89.176.?"; # until we have more hosts
};
motiejus.cidrs = let
mHosts = mHosts =
attrVals [ attrVals [
"mxp10.motiejus.jakst" "mxp10.motiejus.jakst"
"fwmine.motiejus.jakst" "fwmine.motiejus.jakst"
] ]
hosts; hosts;
in in builtins.catAttrs "jakstIP" mHosts;
builtins.catAttrs "jakstIP" mHosts;
tailscale_subnet = { vno1.cidr = "192.168.189.0/24";
cidr = "100.89.176.0/20";
range = "100.89.176.0-100.89.191.255";
pattern = "100.89.176.?"; # until we have more hosts
}; };
jakstysLTZone = let jakstysLTZone = let

View File

@ -145,7 +145,7 @@
services = { services = {
friendlyport.ports = [ friendlyport.ports = [
{ {
subnets = [myData.tailscale_subnet.cidr]; subnets = [myData.subnets.tailscale.cidr];
tcp = [ tcp = [
80 80
443 443
@ -165,7 +165,7 @@
headscale = { headscale = {
enable = true; enable = true;
clientOidcPath = config.age.secrets.headscale-client-oidc.path; clientOidcPath = config.age.secrets.headscale-client-oidc.path;
subnetCIDR = myData.tailscale_subnet.cidr; subnetCIDR = myData.subnets.tailscale.cidr;
}; };
nsd-acme = let nsd-acme = let
@ -242,13 +242,13 @@
} }
''; '';
virtualHosts."grafana.jakstys.lt".extraConfig = '' virtualHosts."grafana.jakstys.lt".extraConfig = ''
@denied not remote_ip ${myData.tailscale_subnet.cidr} @denied not remote_ip ${myData.subnets.tailscale.cidr}
abort @denied abort @denied
reverse_proxy 127.0.0.1:3000 reverse_proxy 127.0.0.1:3000
tls {$CREDENTIALS_DIRECTORY}/grafana.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/grafana.jakstys.lt-key.pem tls {$CREDENTIALS_DIRECTORY}/grafana.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/grafana.jakstys.lt-key.pem
''; '';
virtualHosts."bitwarden.jakstys.lt".extraConfig = '' virtualHosts."bitwarden.jakstys.lt".extraConfig = ''
@denied not remote_ip ${myData.tailscale_subnet.cidr} @denied not remote_ip ${myData.subnets.tailscale.cidr}
abort @denied abort @denied
tls {$CREDENTIALS_DIRECTORY}/bitwarden.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/bitwarden.jakstys.lt-key.pem tls {$CREDENTIALS_DIRECTORY}/bitwarden.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/bitwarden.jakstys.lt-key.pem

View File

@ -36,7 +36,7 @@
mj.services.friendlyport.ports = [ mj.services.friendlyport.ports = [
{ {
subnets = [myData.tailscale_subnet.cidr]; subnets = [myData.subnets.tailscale.cidr];
tcp = [config.services.iperf3.port]; tcp = [config.services.iperf3.port];
} }
]; ];

View File

@ -16,10 +16,7 @@
enable = true; enable = true;
blocktime = 900; blocktime = 900;
whitelist = whitelist =
[ ["192.168.0.0/16" myData.subnets.tailscale.cidr]
"192.168.0.0/16"
myData.tailscale_subnet.cidr
]
++ (lib.catAttrs "publicIP" (lib.attrValues myData.hosts)); ++ (lib.catAttrs "publicIP" (lib.attrValues myData.hosts));
}; };
}; };

View File

@ -97,7 +97,7 @@
createHome = true; createHome = true;
uid = uidgid; uid = uidgid;
openssh.authorizedKeys.keys = let openssh.authorizedKeys.keys = let
restrictedPubKey = "from=\"${myData.tailscale_subnet.pattern}\" " + publicKey; restrictedPubKey = "from=\"${myData.subnets.tailscale.sshPattern}\" " + publicKey;
in [restrictedPubKey]; in [restrictedPubKey];
}; };
}; };

View File

@ -36,8 +36,8 @@
else "iptables -A INPUT -p ${proto} --match multiport --dports ${intsS} --source ${subnetsS} -j ACCEPT" else "iptables -A INPUT -p ${proto} --match multiport --dports ${intsS} --source ${subnetsS} -j ACCEPT"
); );
startTCP = map(attr: mkAdd "tcp" attr.subnets attr.tcp) ports; startTCP = map (attr: mkAdd "tcp" attr.subnets attr.tcp) ports;
startUDP = map(attr: mkAdd "udp" attr.subnets attr.udp) ports; startUDP = map (attr: mkAdd "udp" attr.subnets attr.udp) ports;
# TODO: when stopping the firewall, systemd uses the old ports. So this is a two-phase process. # TODO: when stopping the firewall, systemd uses the old ports. So this is a two-phase process.
# How to stop the old one and start the new one? # How to stop the old one and start the new one?
@ -51,8 +51,8 @@
else "iptables -D INPUT -p ${proto} --match multiport --dports ${intsS} --source ${subnetsS} -j ACCEPT || :" else "iptables -D INPUT -p ${proto} --match multiport --dports ${intsS} --source ${subnetsS} -j ACCEPT || :"
); );
stopTCP = map(attr: mkDel "tcp" attr.subnets attr.tcp) ports; stopTCP = map (attr: mkDel "tcp" attr.subnets attr.tcp) ports;
stopUDP = map(attr: mkDel "udp" attr.subnets attr.udp) ports; stopUDP = map (attr: mkDel "udp" attr.subnets attr.udp) ports;
in { in {
networking.firewall.extraCommands = lib.concatLines (startTCP ++ startUDP); networking.firewall.extraCommands = lib.concatLines (startTCP ++ startUDP);
networking.firewall.extraStopCommands = lib.concatLines (stopTCP ++ stopUDP); networking.firewall.extraStopCommands = lib.concatLines (stopTCP ++ stopUDP);

View File

@ -2,6 +2,7 @@
config, config,
lib, lib,
pkgs, pkgs,
myData,
... ...
}: { }: {
options.mj.services.jakstpub = with lib.types; { options.mj.services.jakstpub = with lib.types; {
@ -49,7 +50,10 @@
unitConfig.Requires = requires; unitConfig.Requires = requires;
}; };
# WIP ports mj.services.friendlyport.ports = [{
#friendlyport.vpn.ports = [ 13 subnets = with myData.subnets; [tailscale.cidr vno1.cidr];
tcp = [ 139 445 ];
udp = [ 137 138 ];
}];
}; };
} }

View File

@ -29,7 +29,7 @@
mj.services.friendlyport.ports = [ mj.services.friendlyport.ports = [
{ {
subnets = [myData.tailscale_subnet.cidr]; subnets = [myData.subnets.tailscale.cidr];
tcp = [myData.ports.exporters.node]; tcp = [myData.ports.exporters.node];
} }
]; ];

View File

@ -20,7 +20,7 @@
"127.0.0.1/8" "127.0.0.1/8"
"[::ffff:127.0.0.0]/104" "[::ffff:127.0.0.0]/104"
"[::1]/128" "[::1]/128"
myData.tailscale_subnet.cidr myData.subnets.tailscale.cidr
]; ];
hostname = "${config.networking.hostName}.${config.networking.domain}"; hostname = "${config.networking.hostName}.${config.networking.domain}";
relayHost = "smtp.sendgrid.net"; relayHost = "smtp.sendgrid.net";

View File

@ -12,7 +12,7 @@
config = lib.mkIf config.mj.services.snmp_exporter.enable { config = lib.mkIf config.mj.services.snmp_exporter.enable {
mj.services.friendlyport.ports = [ mj.services.friendlyport.ports = [
{ {
subnets = [myData.tailscale_subnet.cidr]; subnets = [myData.subnets.tailscale.cidr];
tcp = [config.services.prometheus.exporters.snmp.port]; tcp = [config.services.prometheus.exporters.snmp.port];
} }
]; ];

View File

@ -16,7 +16,7 @@ in {
config = lib.mkIf config.mj.services.syncthing.enable { config = lib.mkIf config.mj.services.syncthing.enable {
mj.services.friendlyport.ports = [ mj.services.friendlyport.ports = [
{ {
subnets = myData.motiejus_ips; subnets = myData.subnets.motiejus.cidrs;
tcp = [8384]; tcp = [8384];
} }
]; ];