architect: Refactored firewall settings. Added architect.firewall option

hosts/architect/default.nix

@@ -9,7 +9,7 @@ let
 in
 {
   imports = [
-    # Include the results of the hardware scan.
+    ./options.nix
     ./backup.nix
     ./hardware.nix
     ./firewall.nix
@@ -132,6 +132,11 @@ in
     driSupport = true;
   };
 
+  architect.firewall = {
+    openTCP = [ 22 ];
+    openTCPVPN = [ 22 ];
+  };
+  
   services = {
     fwupd.enable = true;
     das_watchdog.enable = true;

hosts/architect/deluge.nix

@@ -4,8 +4,15 @@ let
   domain = "htdel.giugl.io";
   network = import ./network.nix;
   auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
+
+  listenPorts = [ 51413 51414 ];
 in
 {
+  architect.firewall = {
+    openTCP = listenPorts;
+    openUDP = listenPorts;
+  };
+
   services = {
     deluge = {
       enable = true;
@@ -24,7 +31,7 @@ in
         max_connections_global = 1000;
         max_active_limit = 100;
         max_active_downloading = 100;
-        listen_ports = [ 51413 51414 ];
+        listen_ports = listenPorts;
         random_port = false;
         enabled_plugins = [ "Label" "Extractor" ];
       };

hosts/architect/dns.nix

@@ -6,6 +6,8 @@ let
   dnscrypt_listen_port = "5353";
 in
 {
+  architect.firewall.openUDPVPN = [ 53 ];
+
   services = {
     dnsmasq = {
       enable = true;

hosts/architect/firewall.nix

@@ -1,54 +1,13 @@
 { config, lib, ... }:
 
 with import ./network.nix;
+with lib;
 
 let
-  # TCP services
-  ssh_tcp = 22;
-  http_tcp = 80;
-  https_tcp = 443;
-  synapse_tcp = 8448;
-  gitea_tcp = 10022;
-  prosody_tcp = 5222;
-  minecraft_tcp = 25565;
-
-  # UDP services
-  dns_udp = 53;
-  wireguard_udp = 1194;
-
-  # TCP/UDP services
-  torrent_a = 51413;
-  torrent_b = 51414;
-
-  # grouping
-  open_tcp_ports = lib.concatMapStringsSep "," (x: toString x) [
-    ssh_tcp
-    http_tcp
-    https_tcp
-    synapse_tcp
-    gitea_tcp
-    torrent_a
-    torrent_b
-    minecraft_tcp
-  ];
-  open_udp_ports = lib.concatMapStringsSep "," (x: toString x) [
-    wireguard_udp
-    torrent_a
-    torrent_b
-    config.services.tailscale.port
-  ];
-  open_tcp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [
-    ssh_tcp
-    http_tcp
-    https_tcp
-    prosody_tcp
-    minecraft_tcp
-  ];
-  open_udp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [
-    dns_udp
-    wireguard_udp
-  ];
-
+  openTCP = concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCP;
+  openUDP = concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDP;
+  openTCPVPN = concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCPVPN;
+  openUDPVPN = concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDPVPN;
 in
 {
   networking = {
@@ -161,10 +120,11 @@ in
             ip saddr ${tailscale-net} accept comment "tailscale > local"
             ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local"
 
-            iifname ${wan-if} tcp dport {${open_tcp_ports}} accept
-            iifname ${wan-if} udp dport {${open_udp_ports}} accept
-            iifname ${vpn-if} tcp dport {${open_tcp_ports_vpn}} accept
-            iifname ${vpn-if} udp dport {${open_udp_ports_vpn}} accept
+            iifname ${wan-if} tcp dport {${openTCP}} accept
+            iifname ${wan-if} udp dport {${openUDP}} accept
+            iifname ${vpn-if} tcp dport {${openTCPVPN}} accept
+            iifname ${vpn-if} udp dport {${openUDPVPN}} accept
+                      
             iifname ${vpn-if} icmp type echo-request accept
             iifname ${docker-if} udp dport 53 accept
             jump filter_drop

hosts/architect/gitea.nix

@@ -1,11 +1,12 @@
-{ lib, ... }:
+{ config, lib, ... }:
 
 let
   domain = "git.giugl.io";
   network = import ./network.nix;
-  auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
 in
 {
+  architect.firewall.openTCP = [ config.services.gitea.settings.server.SSH_PORT ];
+
   services.gitea = {
     enable = true;
     database.type = "sqlite3";

hosts/architect/minecraft.nix

@@ -5,6 +5,8 @@ let
   network = import ./network.nix;
 in
 {
+  architect.firewall.openTCP = [ 25565 ];
+  
   services.minecraft-server = {
     enable = true;
     eula = true;

hosts/architect/nginx.nix

@@ -1,6 +1,11 @@
 { services, pkgs, lib, ... }:
 
 {
+  architect.firewall = {
+    openTCP = [ 80 443 ];
+    openTCPVPN = [ 80 443 ];
+  };
+
   services.nginx = {
     enable = true;
     package = pkgs.openresty;

hosts/architect/options.nix

@@ -0,0 +1,25 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+  options.architect.firewall = {
+    openTCP = mkOption {
+      type = types.listOf types.int;
+      default = [ ];
+    };
+    openUDP = mkOption {
+      type = types.listOf types.int;
+      default = [ ];
+    };
+    openTCPVPN = mkOption {
+      type = types.listOf types.int;
+      default = [ ];
+    };
+    openUDPVPN = mkOption {
+      type = types.listOf types.int;
+      default = [ ];
+    };
+  };
+
+}

hosts/architect/tailscale.nix

@@ -1,4 +1,4 @@
-{ lib, ... }:
+{ config, lib, ... }:
 
 let
   network = import ./network.nix;
@@ -6,6 +6,8 @@ let
   ifname = "ts0";
 in
 {
+  architect.firewall.openUDP = [ config.services.tailscale.port ];
+
   services = {
     tailscale = {
       enable = true;

hosts/architect/wireguard.nix

@@ -1,4 +1,14 @@
-with import ./network.nix; {
+{ config, lib, ... }:
+with import ./network.nix;
+let
+  listenPort = 1194;
+in
+{
+  architect.firewall = {
+    openUDP = lib.singleton listenPort;
+    openUDPVPN = lib.singleton listenPort;
+  };
+
   networking = {
     extraHosts = ''
       ${architect-wg} architect.devs.giugl.io
@@ -37,7 +47,8 @@ with import ./network.nix; {
 
     wireguard = {
       interfaces.${vpn-if} = {
-        listenPort = 1194;
+        inherit listenPort;
+
         ips = [ "10.3.0.1/24" ];
         privateKeyFile = "/secrets/wireguard/server.key";