open up samba
This commit is contained in:
parent
e61944dfde
commit
2dd8cda85a
16
data.nix
16
data.nix
@ -89,20 +89,22 @@ rec {
|
||||
# copied from nixpkgs/lib/attrsets.nix
|
||||
attrVals = nameList: set: map (x: set.${x}) nameList;
|
||||
|
||||
motiejus_ips = let
|
||||
subnets = {
|
||||
tailscale = {
|
||||
cidr = "100.89.176.0/20";
|
||||
range = "100.89.176.0-100.89.191.255";
|
||||
sshPattern = "100.89.176.?"; # until we have more hosts
|
||||
};
|
||||
motiejus.cidrs = let
|
||||
mHosts =
|
||||
attrVals [
|
||||
"mxp10.motiejus.jakst"
|
||||
"fwmine.motiejus.jakst"
|
||||
]
|
||||
hosts;
|
||||
in
|
||||
builtins.catAttrs "jakstIP" mHosts;
|
||||
in builtins.catAttrs "jakstIP" mHosts;
|
||||
|
||||
tailscale_subnet = {
|
||||
cidr = "100.89.176.0/20";
|
||||
range = "100.89.176.0-100.89.191.255";
|
||||
pattern = "100.89.176.?"; # until we have more hosts
|
||||
vno1.cidr = "192.168.189.0/24";
|
||||
};
|
||||
|
||||
jakstysLTZone = let
|
||||
|
@ -145,7 +145,7 @@
|
||||
services = {
|
||||
friendlyport.ports = [
|
||||
{
|
||||
subnets = [myData.tailscale_subnet.cidr];
|
||||
subnets = [myData.subnets.tailscale.cidr];
|
||||
tcp = [
|
||||
80
|
||||
443
|
||||
@ -165,7 +165,7 @@
|
||||
headscale = {
|
||||
enable = true;
|
||||
clientOidcPath = config.age.secrets.headscale-client-oidc.path;
|
||||
subnetCIDR = myData.tailscale_subnet.cidr;
|
||||
subnetCIDR = myData.subnets.tailscale.cidr;
|
||||
};
|
||||
|
||||
nsd-acme = let
|
||||
@ -242,13 +242,13 @@
|
||||
}
|
||||
'';
|
||||
virtualHosts."grafana.jakstys.lt".extraConfig = ''
|
||||
@denied not remote_ip ${myData.tailscale_subnet.cidr}
|
||||
@denied not remote_ip ${myData.subnets.tailscale.cidr}
|
||||
abort @denied
|
||||
reverse_proxy 127.0.0.1:3000
|
||||
tls {$CREDENTIALS_DIRECTORY}/grafana.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/grafana.jakstys.lt-key.pem
|
||||
'';
|
||||
virtualHosts."bitwarden.jakstys.lt".extraConfig = ''
|
||||
@denied not remote_ip ${myData.tailscale_subnet.cidr}
|
||||
@denied not remote_ip ${myData.subnets.tailscale.cidr}
|
||||
abort @denied
|
||||
tls {$CREDENTIALS_DIRECTORY}/bitwarden.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/bitwarden.jakstys.lt-key.pem
|
||||
|
||||
|
@ -36,7 +36,7 @@
|
||||
|
||||
mj.services.friendlyport.ports = [
|
||||
{
|
||||
subnets = [myData.tailscale_subnet.cidr];
|
||||
subnets = [myData.subnets.tailscale.cidr];
|
||||
tcp = [config.services.iperf3.port];
|
||||
}
|
||||
];
|
||||
|
@ -16,10 +16,7 @@
|
||||
enable = true;
|
||||
blocktime = 900;
|
||||
whitelist =
|
||||
[
|
||||
"192.168.0.0/16"
|
||||
myData.tailscale_subnet.cidr
|
||||
]
|
||||
["192.168.0.0/16" myData.subnets.tailscale.cidr]
|
||||
++ (lib.catAttrs "publicIP" (lib.attrValues myData.hosts));
|
||||
};
|
||||
};
|
||||
|
@ -97,7 +97,7 @@
|
||||
createHome = true;
|
||||
uid = uidgid;
|
||||
openssh.authorizedKeys.keys = let
|
||||
restrictedPubKey = "from=\"${myData.tailscale_subnet.pattern}\" " + publicKey;
|
||||
restrictedPubKey = "from=\"${myData.subnets.tailscale.sshPattern}\" " + publicKey;
|
||||
in [restrictedPubKey];
|
||||
};
|
||||
};
|
||||
|
@ -36,8 +36,8 @@
|
||||
else "iptables -A INPUT -p ${proto} --match multiport --dports ${intsS} --source ${subnetsS} -j ACCEPT"
|
||||
);
|
||||
|
||||
startTCP = map(attr: mkAdd "tcp" attr.subnets attr.tcp) ports;
|
||||
startUDP = map(attr: mkAdd "udp" attr.subnets attr.udp) ports;
|
||||
startTCP = map (attr: mkAdd "tcp" attr.subnets attr.tcp) ports;
|
||||
startUDP = map (attr: mkAdd "udp" attr.subnets attr.udp) ports;
|
||||
|
||||
# TODO: when stopping the firewall, systemd uses the old ports. So this is a two-phase process.
|
||||
# How to stop the old one and start the new one?
|
||||
@ -51,8 +51,8 @@
|
||||
else "iptables -D INPUT -p ${proto} --match multiport --dports ${intsS} --source ${subnetsS} -j ACCEPT || :"
|
||||
);
|
||||
|
||||
stopTCP = map(attr: mkDel "tcp" attr.subnets attr.tcp) ports;
|
||||
stopUDP = map(attr: mkDel "udp" attr.subnets attr.udp) ports;
|
||||
stopTCP = map (attr: mkDel "tcp" attr.subnets attr.tcp) ports;
|
||||
stopUDP = map (attr: mkDel "udp" attr.subnets attr.udp) ports;
|
||||
in {
|
||||
networking.firewall.extraCommands = lib.concatLines (startTCP ++ startUDP);
|
||||
networking.firewall.extraStopCommands = lib.concatLines (stopTCP ++ stopUDP);
|
||||
|
@ -2,6 +2,7 @@
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
myData,
|
||||
...
|
||||
}: {
|
||||
options.mj.services.jakstpub = with lib.types; {
|
||||
@ -49,7 +50,10 @@
|
||||
unitConfig.Requires = requires;
|
||||
};
|
||||
|
||||
# WIP ports
|
||||
#friendlyport.vpn.ports = [ 13
|
||||
mj.services.friendlyport.ports = [{
|
||||
subnets = with myData.subnets; [tailscale.cidr vno1.cidr];
|
||||
tcp = [ 139 445 ];
|
||||
udp = [ 137 138 ];
|
||||
}];
|
||||
};
|
||||
}
|
||||
|
@ -29,7 +29,7 @@
|
||||
|
||||
mj.services.friendlyport.ports = [
|
||||
{
|
||||
subnets = [myData.tailscale_subnet.cidr];
|
||||
subnets = [myData.subnets.tailscale.cidr];
|
||||
tcp = [myData.ports.exporters.node];
|
||||
}
|
||||
];
|
||||
|
@ -20,7 +20,7 @@
|
||||
"127.0.0.1/8"
|
||||
"[::ffff:127.0.0.0]/104"
|
||||
"[::1]/128"
|
||||
myData.tailscale_subnet.cidr
|
||||
myData.subnets.tailscale.cidr
|
||||
];
|
||||
hostname = "${config.networking.hostName}.${config.networking.domain}";
|
||||
relayHost = "smtp.sendgrid.net";
|
||||
|
@ -12,7 +12,7 @@
|
||||
config = lib.mkIf config.mj.services.snmp_exporter.enable {
|
||||
mj.services.friendlyport.ports = [
|
||||
{
|
||||
subnets = [myData.tailscale_subnet.cidr];
|
||||
subnets = [myData.subnets.tailscale.cidr];
|
||||
tcp = [config.services.prometheus.exporters.snmp.port];
|
||||
}
|
||||
];
|
||||
|
@ -16,7 +16,7 @@ in {
|
||||
config = lib.mkIf config.mj.services.syncthing.enable {
|
||||
mj.services.friendlyport.ports = [
|
||||
{
|
||||
subnets = myData.motiejus_ips;
|
||||
subnets = myData.subnets.motiejus.cidrs;
|
||||
tcp = [8384];
|
||||
}
|
||||
];
|
||||
|
Loading…
Reference in New Issue
Block a user