rewrite firewall rules
This commit is contained in:
parent
2b5b9bc57f
commit
e61944dfde
13
data.nix
13
data.nix
|
|
@ -86,6 +86,19 @@ rec {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# copied from nixpkgs/lib/attrsets.nix
|
||||||
|
attrVals = nameList: set: map (x: set.${x}) nameList;
|
||||||
|
|
||||||
|
motiejus_ips = let
|
||||||
|
mHosts =
|
||||||
|
attrVals [
|
||||||
|
"mxp10.motiejus.jakst"
|
||||||
|
"fwmine.motiejus.jakst"
|
||||||
|
]
|
||||||
|
hosts;
|
||||||
|
in
|
||||||
|
builtins.catAttrs "jakstIP" mHosts;
|
||||||
|
|
||||||
tailscale_subnet = {
|
tailscale_subnet = {
|
||||||
cidr = "100.89.176.0/20";
|
cidr = "100.89.176.0/20";
|
||||||
range = "100.89.176.0-100.89.191.255";
|
range = "100.89.176.0-100.89.191.255";
|
||||||
|
|
|
||||||
|
|
@ -143,12 +143,17 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
services = {
|
services = {
|
||||||
friendlyport.vpn.ports = [
|
friendlyport.ports = [
|
||||||
80
|
{
|
||||||
443
|
subnets = [myData.tailscale_subnet.cidr];
|
||||||
myData.ports.grafana
|
tcp = [
|
||||||
myData.ports.prometheus
|
80
|
||||||
myData.ports.soju
|
443
|
||||||
|
myData.ports.grafana
|
||||||
|
myData.ports.prometheus
|
||||||
|
myData.ports.soju
|
||||||
|
];
|
||||||
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
node_exporter.enable = true;
|
node_exporter.enable = true;
|
||||||
|
|
|
||||||
|
|
@ -2,6 +2,7 @@
|
||||||
config,
|
config,
|
||||||
lib,
|
lib,
|
||||||
pkgs,
|
pkgs,
|
||||||
|
myData,
|
||||||
...
|
...
|
||||||
}: {
|
}: {
|
||||||
imports = [
|
imports = [
|
||||||
|
|
@ -33,7 +34,12 @@
|
||||||
config = {
|
config = {
|
||||||
time.timeZone = config.mj.timeZone;
|
time.timeZone = config.mj.timeZone;
|
||||||
|
|
||||||
mj.services.friendlyport.vpn.ports = [config.services.iperf3.port];
|
mj.services.friendlyport.ports = [
|
||||||
|
{
|
||||||
|
subnets = [myData.tailscale_subnet.cidr];
|
||||||
|
tcp = [config.services.iperf3.port];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
i18n = {
|
i18n = {
|
||||||
defaultLocale = "en_US.UTF-8";
|
defaultLocale = "en_US.UTF-8";
|
||||||
|
|
|
||||||
|
|
@ -4,47 +4,57 @@
|
||||||
myData,
|
myData,
|
||||||
...
|
...
|
||||||
}: {
|
}: {
|
||||||
options.mj.services.friendlyport.motiejus = with lib.types; {
|
options.mj.services.friendlyport = with lib.types; {
|
||||||
ports = lib.mkOption {
|
ports = lib.mkOption {
|
||||||
type = listOf int;
|
type = listOf (submodule (
|
||||||
default = [];
|
{...}: {
|
||||||
};
|
options = {
|
||||||
};
|
subnets = lib.mkOption {type = listOf str;};
|
||||||
options.mj.services.friendlyport.vpn = with lib.types; {
|
tcp = lib.mkOption {
|
||||||
ports = lib.mkOption {
|
type = listOf int;
|
||||||
type = listOf int;
|
default = [];
|
||||||
default = [];
|
};
|
||||||
|
udp = lib.mkOption {
|
||||||
|
type = listOf int;
|
||||||
|
default = [];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
));
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = let
|
config = let
|
||||||
portsM = config.mj.services.friendlyport.motiejus.ports;
|
ports = config.mj.services.friendlyport.ports;
|
||||||
portsV = config.mj.services.friendlyport.vpn.ports;
|
mkAdd = (
|
||||||
portsMStr = builtins.concatStringsSep "," (map builtins.toString config.mj.services.friendlyport.motiejus.ports);
|
proto: subnets: ints: let
|
||||||
portsVStr = builtins.concatStringsSep "," (map builtins.toString config.mj.services.friendlyport.vpn.ports);
|
subnetsS = builtins.concatStringsSep "," subnets;
|
||||||
hosts = lib.attrVals ["mxp10.motiejus.jakst" "fwmine.motiejus.jakst"] myData.hosts;
|
intsS = builtins.concatStringsSep "," (map builtins.toString ints);
|
||||||
ips = lib.catAttrs "jakstIP" hosts;
|
in
|
||||||
startLinesM =
|
if builtins.length ints == 0
|
||||||
if builtins.length portsM > 0
|
then ""
|
||||||
then map (ip: "iptables -A INPUT -p tcp --match multiport --dports ${portsMStr} --source ${ip} -j ACCEPT") ips
|
else "iptables -A INPUT -p ${proto} --match multiport --dports ${intsS} --source ${subnetsS} -j ACCEPT"
|
||||||
else [];
|
);
|
||||||
startLinesV =
|
|
||||||
if builtins.length portsV > 0
|
startTCP = map(attr: mkAdd "tcp" attr.subnets attr.tcp) ports;
|
||||||
then "iptables -A INPUT -p tcp --match multiport --dports ${portsVStr} --source ${myData.tailscale_subnet.cidr} -j ACCEPT"
|
startUDP = map(attr: mkAdd "udp" attr.subnets attr.udp) ports;
|
||||||
else "";
|
|
||||||
|
|
||||||
# TODO: when stopping the firewall, systemd uses the old ports. So this is a two-phase process.
|
# TODO: when stopping the firewall, systemd uses the old ports. So this is a two-phase process.
|
||||||
# How to stop the old one and start the new one?
|
# How to stop the old one and start the new one?
|
||||||
stopLinesM =
|
mkDel = (
|
||||||
if builtins.length portsM > 0
|
proto: subnets: ints: let
|
||||||
then map (ip: "iptables -D INPUT -p tcp --match multiport --dports ${portsMStr} --source ${ip} -j ACCEPT || :") ips
|
subnetsS = builtins.concatStringsSep "," subnets;
|
||||||
else [];
|
intsS = builtins.concatStringsSep "," (map builtins.toString ints);
|
||||||
stopLinesV =
|
in
|
||||||
if builtins.length portsV > 0
|
if builtins.length ints == 0
|
||||||
then "iptables -D INPUT -p tcp --match multiport --dports ${portsVStr} --source ${myData.tailscale_subnet.cidr} -j ACCEPT || :"
|
then ""
|
||||||
else "";
|
else "iptables -D INPUT -p ${proto} --match multiport --dports ${intsS} --source ${subnetsS} -j ACCEPT || :"
|
||||||
|
);
|
||||||
|
|
||||||
|
stopTCP = map(attr: mkDel "tcp" attr.subnets attr.tcp) ports;
|
||||||
|
stopUDP = map(attr: mkDel "udp" attr.subnets attr.udp) ports;
|
||||||
in {
|
in {
|
||||||
networking.firewall.extraCommands = lib.concatLines (startLinesM ++ [startLinesV]);
|
networking.firewall.extraCommands = lib.concatLines (startTCP ++ startUDP);
|
||||||
networking.firewall.extraStopCommands = lib.concatLines (stopLinesM ++ [stopLinesV]);
|
networking.firewall.extraStopCommands = lib.concatLines (stopTCP ++ stopUDP);
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -27,8 +27,11 @@
|
||||||
gid = myData.uidgid.node_exporter;
|
gid = myData.uidgid.node_exporter;
|
||||||
};
|
};
|
||||||
|
|
||||||
mj.services.friendlyport.vpn.ports = [
|
mj.services.friendlyport.ports = [
|
||||||
myData.ports.exporters.node
|
{
|
||||||
|
subnets = [myData.tailscale_subnet.cidr];
|
||||||
|
tcp = [myData.ports.exporters.node];
|
||||||
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -2,6 +2,7 @@
|
||||||
config,
|
config,
|
||||||
lib,
|
lib,
|
||||||
pkgs,
|
pkgs,
|
||||||
|
myData,
|
||||||
...
|
...
|
||||||
}: {
|
}: {
|
||||||
options.mj.services.snmp_exporter = with lib.types; {
|
options.mj.services.snmp_exporter = with lib.types; {
|
||||||
|
|
@ -9,7 +10,12 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
config = lib.mkIf config.mj.services.snmp_exporter.enable {
|
config = lib.mkIf config.mj.services.snmp_exporter.enable {
|
||||||
mj.services.friendlyport.vpn.ports = [config.services.prometheus.exporters.snmp.port];
|
mj.services.friendlyport.ports = [
|
||||||
|
{
|
||||||
|
subnets = [myData.tailscale_subnet.cidr];
|
||||||
|
tcp = [config.services.prometheus.exporters.snmp.port];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
services.prometheus.exporters.snmp = {
|
services.prometheus.exporters.snmp = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
|
||||||
|
|
@ -14,7 +14,12 @@ in {
|
||||||
};
|
};
|
||||||
|
|
||||||
config = lib.mkIf config.mj.services.syncthing.enable {
|
config = lib.mkIf config.mj.services.syncthing.enable {
|
||||||
mj.services.friendlyport.motiejus.ports = [8384];
|
mj.services.friendlyport.ports = [
|
||||||
|
{
|
||||||
|
subnets = myData.motiejus_ips;
|
||||||
|
tcp = [8384];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
services.syncthing = {
|
services.syncthing = {
|
||||||
enable = config.mj.services.syncthing.enable;
|
enable = config.mj.services.syncthing.enable;
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue