From 4522af453bead8abba9ccaf4e7bbfb3dd85251f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Motiejus=20Jak=C5=A1tys?= Date: Wed, 26 Jul 2023 15:10:39 +0300 Subject: [PATCH] start/stop firewall commands --- modules/base/sshguard/default.nix | 10 +- modules/base/zfsborg/default.nix | 8 +- modules/services/syncthing/default.nix | 148 +++++++++++++------------ 3 files changed, 87 insertions(+), 79 deletions(-) diff --git a/modules/base/sshguard/default.nix b/modules/base/sshguard/default.nix index 19d7cd6..1dc8ad9 100644 --- a/modules/base/sshguard/default.nix +++ b/modules/base/sshguard/default.nix @@ -15,10 +15,12 @@ services.sshguard = { enable = true; blocktime = 900; - whitelist = [ - "192.168.0.0/16" - myData.tailscale_subnet.cidr - ] ++ (lib.catAttrs "publicIP" (lib.attrValues myData.hosts)); + whitelist = + [ + "192.168.0.0/16" + myData.tailscale_subnet.cidr + ] + ++ (lib.catAttrs "publicIP" (lib.attrValues myData.hosts)); }; }; } diff --git a/modules/base/zfsborg/default.nix b/modules/base/zfsborg/default.nix index 1772e9a..537660c 100644 --- a/modules/base/zfsborg/default.nix +++ b/modules/base/zfsborg/default.nix @@ -19,7 +19,10 @@ in { enable = lib.mkEnableOption "backup zfs snapshots with borg"; passwordPath = lib.mkOption {type = str;}; - sshKeyPath = lib.mkOption {type = nullOr path; default = null;}; + sshKeyPath = lib.mkOption { + type = nullOr path; + default = null; + }; mountpoints = lib.mkOption { default = {}; @@ -87,7 +90,8 @@ in { } // lib.optionalAttrs (attrs ? patterns) { patterns = attrs.patterns; - } // lib.optionalAttrs (config.mj.base.zfsborg.sshKeyPath != null) { + } + // lib.optionalAttrs (config.mj.base.zfsborg.sshKeyPath != null) { environment.BORG_RSH = ''ssh -i "${config.mj.base.zfsborg.sshKeyPath}"''; }; }) diff --git a/modules/services/syncthing/default.nix b/modules/services/syncthing/default.nix index fedaa2d..b9093fd 100644 --- a/modules/services/syncthing/default.nix +++ b/modules/services/syncthing/default.nix @@ -13,84 +13,86 @@ in { dataDir = lib.mkOption {type = path;}; }; - config = lib.mkIf config.mj.services.syncthing.enable { - networking.firewall.extraCommands = let - hosts = lib.attrVals ["mxp10.motiejus.jakst" "fwmine.motiejus.jakst"] myData.hosts; - ips = lib.catAttrs "jakstIP" hosts; - lines = map (ip: "iptables -A INPUT -p tcp --dport 8384 -s ${ip} -j ACCEPT") ips; - in - lib.concatLines lines; + config = let + hosts = lib.attrVals ["mxp10.motiejus.jakst" "fwmine.motiejus.jakst"] myData.hosts; + ips = lib.catAttrs "jakstIP" hosts; + startLines = map (ip: "iptables -A INPUT -p tcp --dport 8384 -s ${ip} -j ACCEPT") ips; + stopLines = map (ip: "iptables -D INPUT -p tcp --dport 8384 -s ${ip} -j ACCEPT") ips; + in + lib.mkIf config.mj.services.syncthing.enable { + networking.firewall.extraCommands = lib.concatLines startLines; + networking.firewall.extraStopCommands = lib.concatLines stopLines; - services.syncthing = { - enable = config.mj.services.syncthing.enable; - openDefaultPorts = true; - guiAddress = let - fqdn = with config.networking; "${hostName}.${domain}"; - jakstIP = lib.getAttrFromPath [fqdn "jakstIP"] myData.hosts; - guiPortStr = builtins.toString guiPort; - in "${jakstIP}:${guiPortStr}"; - user = config.mj.services.syncthing.user; - group = config.mj.services.syncthing.group; - dataDir = config.mj.services.syncthing.dataDir; + services.syncthing = { + enable = config.mj.services.syncthing.enable; + openDefaultPorts = true; + guiAddress = let + fqdn = with config.networking; "${hostName}.${domain}"; + jakstIP = lib.getAttrFromPath [fqdn "jakstIP"] myData.hosts; + guiPortStr = builtins.toString guiPort; + in "${jakstIP}:${guiPortStr}"; + user = config.mj.services.syncthing.user; + group = config.mj.services.syncthing.group; + dataDir = config.mj.services.syncthing.dataDir; - extraOptions.gui.insecureAdminAccess = true; + extraOptions.gui.insecureAdminAccess = true; - devices = - {} - // (lib.optionalAttrs (config.networking.hostName == "vno1-oh2") { - "fwmine".id = "GKSUKZE-AOBQOWY-CNLZ2ZI-WNKATYE-MV4Y452-J3VCJ5C-EAANXRX-2P6EHA6"; - "mxp10".id = "LO54QZZ-5J3G62P-WUVM3MW-7J3VWHD-BG76TOQ-5S7PZSY-JU45K3I-X3ZL4AN"; - "rzj-744P2PE".id = "UW6ISH2-NW6X6AW-BJR76TV-TV3BIGZ-PA5QH2M-YEF567T-IWMHKD5-P3XHHAH"; - }) - // {}; + devices = + {} + // (lib.optionalAttrs (config.networking.hostName == "vno1-oh2") { + "fwmine".id = "GKSUKZE-AOBQOWY-CNLZ2ZI-WNKATYE-MV4Y452-J3VCJ5C-EAANXRX-2P6EHA6"; + "mxp10".id = "LO54QZZ-5J3G62P-WUVM3MW-7J3VWHD-BG76TOQ-5S7PZSY-JU45K3I-X3ZL4AN"; + "rzj-744P2PE".id = "UW6ISH2-NW6X6AW-BJR76TV-TV3BIGZ-PA5QH2M-YEF567T-IWMHKD5-P3XHHAH"; + }) + // {}; - folders = { - "${config.services.syncthing.dataDir}/annex2/Books" = { - devices = ["mxp10" "fwmine"]; - id = "8lk0n-mm63y"; - label = "Books"; - }; - "${config.services.syncthing.dataDir}/annex2/M-Active" = { - devices = ["mxp10" "fwmine"]; - id = "f6fma-unkxq"; - label = "M-Active"; - }; - "${config.services.syncthing.dataDir}/annex2/M-Camera" = { - devices = ["mxp10" "fwmine"]; - id = "pixel_xl_dtm3-photos"; - label = "M-Active"; - }; - "${config.services.syncthing.dataDir}/annex2/M-Documents" = { - devices = ["fwmine"]; - id = "4fu7z-z6es2"; - label = "M-Documents"; - }; - "${config.services.syncthing.dataDir}/annex2/R-Documents" = { - devices = ["rzj-744P2PE"]; - id = "nm23h-aog6k"; - label = "R-Documents"; - }; - "${config.services.syncthing.dataDir}/annex2/Pictures" = { - devices = ["fwmine"]; - id = "d3hur-cbzyw"; - label = "Pictures"; - }; - "${config.services.syncthing.dataDir}/stud-cache" = { - devices = ["fwmine"]; - id = "2kq7n-jqzxj"; - label = "stud-cache"; - }; - "${config.services.syncthing.dataDir}/video/shared" = { - devices = ["mxp10" "fwmine"]; - id = "byzmw-f6zhg"; - label = "video-shared"; - }; - "${config.services.syncthing.dataDir}/music" = { - devices = ["fwmine" "mxp10"]; - id = "tg94v-cqcwr"; - label = "music"; + folders = { + "${config.services.syncthing.dataDir}/annex2/Books" = { + devices = ["mxp10" "fwmine"]; + id = "8lk0n-mm63y"; + label = "Books"; + }; + "${config.services.syncthing.dataDir}/annex2/M-Active" = { + devices = ["mxp10" "fwmine"]; + id = "f6fma-unkxq"; + label = "M-Active"; + }; + "${config.services.syncthing.dataDir}/annex2/M-Camera" = { + devices = ["mxp10" "fwmine"]; + id = "pixel_xl_dtm3-photos"; + label = "M-Active"; + }; + "${config.services.syncthing.dataDir}/annex2/M-Documents" = { + devices = ["fwmine"]; + id = "4fu7z-z6es2"; + label = "M-Documents"; + }; + "${config.services.syncthing.dataDir}/annex2/R-Documents" = { + devices = ["rzj-744P2PE"]; + id = "nm23h-aog6k"; + label = "R-Documents"; + }; + "${config.services.syncthing.dataDir}/annex2/Pictures" = { + devices = ["fwmine"]; + id = "d3hur-cbzyw"; + label = "Pictures"; + }; + "${config.services.syncthing.dataDir}/stud-cache" = { + devices = ["fwmine"]; + id = "2kq7n-jqzxj"; + label = "stud-cache"; + }; + "${config.services.syncthing.dataDir}/video/shared" = { + devices = ["mxp10" "fwmine"]; + id = "byzmw-f6zhg"; + label = "video-shared"; + }; + "${config.services.syncthing.dataDir}/music" = { + devices = ["fwmine" "mxp10"]; + id = "tg94v-cqcwr"; + label = "music"; + }; }; }; }; - }; }