From 7252ba1582ca5262d756108a14ecb8062843d501 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Motiejus=20Jak=C5=A1tys?= Date: Sat, 24 May 2025 15:50:52 +0000 Subject: [PATCH] rm friendlyport --- hosts/fwminex/configuration.nix | 15 ------ hosts/vno3-nk/configuration.nix | 12 ----- modules/base/default.nix | 9 ---- modules/services/default.nix | 1 - modules/services/friendlyport/default.nix | 59 ---------------------- modules/services/grafana/default.nix | 8 --- modules/services/hass/default.nix | 7 --- modules/services/jakstpub/default.nix | 16 ------ modules/services/node_exporter/default.nix | 6 --- modules/services/ping_exporter/default.nix | 7 --- modules/services/ssh8022/default.nix | 7 --- modules/services/syncthing/default.nix | 7 --- modules/services/vaultwarden/default.nix | 8 --- 13 files changed, 162 deletions(-) delete mode 100644 modules/services/friendlyport/default.nix diff --git a/hosts/fwminex/configuration.nix b/hosts/fwminex/configuration.nix index 85f14e4..6d6726c 100644 --- a/hosts/fwminex/configuration.nix +++ b/hosts/fwminex/configuration.nix @@ -746,21 +746,6 @@ in saslPasswdPath = config.age.secrets.sasl-passwd.path; }; - friendlyport.ports = [ - { - subnets = [ myData.subnets.tailscale.cidr ]; - udp = [ 443 ]; - tcp = with myData.ports; [ - 80 - 443 - soju - frigate - soju-ws - prometheus - ]; - } - ]; - }; }; diff --git a/hosts/vno3-nk/configuration.nix b/hosts/vno3-nk/configuration.nix index 4b3f049..00b886b 100644 --- a/hosts/vno3-nk/configuration.nix +++ b/hosts/vno3-nk/configuration.nix @@ -205,18 +205,6 @@ in saslPasswdPath = config.age.secrets.sasl-passwd.path; }; - #friendlyport.ports = [ - # { - # subnets = [ myData.subnets.tailscale.cidr ]; - # udp = [ 443 ]; - # tcp = with myData.ports; [ - # 80 - # 443 - # prometheus - # ]; - # } - #]; - deployerbot = { follower = { enable = true; diff --git a/modules/base/default.nix b/modules/base/default.nix index c8a01b4..74ab150 100644 --- a/modules/base/default.nix +++ b/modules/base/default.nix @@ -2,7 +2,6 @@ config, lib, pkgs, - myData, ... }: let @@ -55,14 +54,6 @@ in time.timeZone = cfg.timeZone; - mj.services.friendlyport.ports = [ - { - subnets = [ myData.subnets.tailscale.cidr ]; - tcp = [ config.services.iperf3.port ]; - udp = [ config.services.iperf3.port ]; - } - ]; - i18n = { defaultLocale = "en_US.UTF-8"; supportedLocales = [ "all" ]; diff --git a/modules/services/default.nix b/modules/services/default.nix index 769b018..51f2f91 100644 --- a/modules/services/default.nix +++ b/modules/services/default.nix @@ -5,7 +5,6 @@ ./btrfsborg ./btrfssnapshot ./deployerbot - ./friendlyport ./frigate ./gitea ./grafana diff --git a/modules/services/friendlyport/default.nix b/modules/services/friendlyport/default.nix deleted file mode 100644 index 1a21808..0000000 --- a/modules/services/friendlyport/default.nix +++ /dev/null @@ -1,59 +0,0 @@ -{ config, lib, ... }: -{ - options.mj.services.friendlyport = with lib.types; { - ports = lib.mkOption { - type = listOf (submodule { - options = { - subnets = lib.mkOption { type = listOf str; }; - tcp = lib.mkOption { - type = listOf int; - default = [ ]; - }; - udp = lib.mkOption { - type = listOf int; - default = [ ]; - }; - }; - }); - }; - }; - - config = - let - inherit (config.mj.services.friendlyport) ports; - - mkAdd = - proto: subnets: ints: - let - subnetsS = builtins.concatStringsSep "," subnets; - intsS = builtins.concatStringsSep "," (map builtins.toString ints); - in - if builtins.length ints == 0 then - "" - else - "iptables -A INPUT -p ${proto} --match multiport --dports ${intsS} --source ${subnetsS} -j ACCEPT"; - - startTCP = map (attr: mkAdd "tcp" attr.subnets attr.tcp) ports; - startUDP = map (attr: mkAdd "udp" attr.subnets attr.udp) ports; - - # TODO: when stopping the firewall, systemd uses the old ports. So this is a two-phase process. - # How to stop the old one and start the new one? - mkDel = - proto: subnets: ints: - let - subnetsS = builtins.concatStringsSep "," subnets; - intsS = builtins.concatStringsSep "," (map builtins.toString ints); - in - if builtins.length ints == 0 then - "" - else - "iptables -D INPUT -p ${proto} --match multiport --dports ${intsS} --source ${subnetsS} -j ACCEPT || :"; - - stopTCP = map (attr: mkDel "tcp" attr.subnets attr.tcp) ports; - stopUDP = map (attr: mkDel "udp" attr.subnets attr.udp) ports; - in - { - networking.firewall.extraCommands = lib.concatLines (startTCP ++ startUDP); - networking.firewall.extraStopCommands = lib.concatLines (stopTCP ++ stopUDP); - }; -} diff --git a/modules/services/grafana/default.nix b/modules/services/grafana/default.nix index 9eed1d0..5f56ce2 100644 --- a/modules/services/grafana/default.nix +++ b/modules/services/grafana/default.nix @@ -1,7 +1,6 @@ { config, lib, - myData, ... }: let @@ -50,13 +49,6 @@ in }; }; - mj.services.friendlyport.ports = [ - { - subnets = [ myData.subnets.tailscale.cidr ]; - tcp = [ cfg.port ]; - } - ]; - }; } diff --git a/modules/services/hass/default.nix b/modules/services/hass/default.nix index 824b842..e0ca662 100644 --- a/modules/services/hass/default.nix +++ b/modules/services/hass/default.nix @@ -14,13 +14,6 @@ in }; config = lib.mkIf cfg.enable { - mj.services.friendlyport.ports = [ - { - subnets = [ myData.subnets.tailscale.cidr ]; - tcp = [ myData.ports.hass ]; - } - ]; - environment.systemPackages = [ ]; services = { diff --git a/modules/services/jakstpub/default.nix b/modules/services/jakstpub/default.nix index fcadbc7..e19e8c4 100644 --- a/modules/services/jakstpub/default.nix +++ b/modules/services/jakstpub/default.nix @@ -117,21 +117,5 @@ in ]; }; - mj.services.friendlyport.ports = [ - { - subnets = with myData.subnets; [ - tailscale.cidr - vno1.cidr - vno3.cidr - ]; - tcp = [ - #80 # caddy above - 139 # smbd - 445 # smbd - 5357 # wsdd - ]; - udp = [ 3702 ]; # wsdd - } - ]; }; } diff --git a/modules/services/node_exporter/default.nix b/modules/services/node_exporter/default.nix index ca7fd9d..55bf13e 100644 --- a/modules/services/node_exporter/default.nix +++ b/modules/services/node_exporter/default.nix @@ -38,11 +38,5 @@ in gid = myData.uidgid.node_exporter; }; - mj.services.friendlyport.ports = [ - { - subnets = [ myData.subnets.tailscale.cidr ] ++ cfg.extraSubnets; - tcp = [ myData.ports.exporters.node ]; - } - ]; }; } diff --git a/modules/services/ping_exporter/default.nix b/modules/services/ping_exporter/default.nix index 741782d..b1603b4 100644 --- a/modules/services/ping_exporter/default.nix +++ b/modules/services/ping_exporter/default.nix @@ -1,7 +1,6 @@ { config, lib, - myData, ... }: let @@ -43,11 +42,5 @@ in }; }; - mj.services.friendlyport.ports = [ - { - subnets = [ myData.subnets.tailscale.cidr ]; - tcp = [ config.services.prometheus.exporters.ping.port ]; - } - ]; }; } diff --git a/modules/services/ssh8022/default.nix b/modules/services/ssh8022/default.nix index c8c8d42..8994a13 100644 --- a/modules/services/ssh8022/default.nix +++ b/modules/services/ssh8022/default.nix @@ -43,13 +43,6 @@ in lib.mkIf cfg.enable { - mj.services.friendlyport.ports = lib.mkIf (!cfg.openGlobalFirewall) [ - { - subnets = [ myData.subnets.tailscale.cidr ]; - tcp = [ 22 ]; - } - ]; - services = { openssh.openFirewall = cfg.openGlobalFirewall; diff --git a/modules/services/syncthing/default.nix b/modules/services/syncthing/default.nix index 5165878..7002c59 100644 --- a/modules/services/syncthing/default.nix +++ b/modules/services/syncthing/default.nix @@ -194,13 +194,6 @@ in }; config = lib.mkIf cfg.enable { - mj.services.friendlyport.ports = [ - { - subnets = myData.subnets.motiejus.cidrs; - tcp = [ 8384 ]; - } - ]; - services.syncthing = { inherit (cfg) enable diff --git a/modules/services/vaultwarden/default.nix b/modules/services/vaultwarden/default.nix index ffd7fa6..b3fc594 100644 --- a/modules/services/vaultwarden/default.nix +++ b/modules/services/vaultwarden/default.nix @@ -1,7 +1,6 @@ { config, lib, - myData, ... }: let @@ -45,13 +44,6 @@ in }; }; - mj.services.friendlyport.ports = [ - { - subnets = [ myData.subnets.tailscale.cidr ]; - tcp = [ cfg.port ]; - } - ]; - }; }