diff --git a/hosts/architect/default.nix b/hosts/architect/default.nix index 77e94a8..03dda99 100644 --- a/hosts/architect/default.nix +++ b/hosts/architect/default.nix @@ -9,7 +9,7 @@ let in { imports = [ - # Include the results of the hardware scan. + ./options.nix ./backup.nix ./hardware.nix ./firewall.nix @@ -132,6 +132,11 @@ in driSupport = true; }; + architect.firewall = { + openTCP = [ 22 ]; + openTCPVPN = [ 22 ]; + }; + services = { fwupd.enable = true; das_watchdog.enable = true; diff --git a/hosts/architect/deluge.nix b/hosts/architect/deluge.nix index 1a5c131..cf3a781 100644 --- a/hosts/architect/deluge.nix +++ b/hosts/architect/deluge.nix @@ -4,8 +4,15 @@ let domain = "htdel.giugl.io"; network = import ./network.nix; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; + + listenPorts = [ 51413 51414 ]; in { + architect.firewall = { + openTCP = listenPorts; + openUDP = listenPorts; + }; + services = { deluge = { enable = true; @@ -24,7 +31,7 @@ in max_connections_global = 1000; max_active_limit = 100; max_active_downloading = 100; - listen_ports = [ 51413 51414 ]; + listen_ports = listenPorts; random_port = false; enabled_plugins = [ "Label" "Extractor" ]; }; diff --git a/hosts/architect/dns.nix b/hosts/architect/dns.nix index d8542e7..4121292 100644 --- a/hosts/architect/dns.nix +++ b/hosts/architect/dns.nix @@ -6,6 +6,8 @@ let dnscrypt_listen_port = "5353"; in { + architect.firewall.openUDPVPN = [ 53 ]; + services = { dnsmasq = { enable = true; diff --git a/hosts/architect/firewall.nix b/hosts/architect/firewall.nix index c25ab23..0d09838 100644 --- a/hosts/architect/firewall.nix +++ b/hosts/architect/firewall.nix @@ -1,54 +1,13 @@ { config, lib, ... }: with import ./network.nix; +with lib; let - # TCP services - ssh_tcp = 22; - http_tcp = 80; - https_tcp = 443; - synapse_tcp = 8448; - gitea_tcp = 10022; - prosody_tcp = 5222; - minecraft_tcp = 25565; - - # UDP services - dns_udp = 53; - wireguard_udp = 1194; - - # TCP/UDP services - torrent_a = 51413; - torrent_b = 51414; - - # grouping - open_tcp_ports = lib.concatMapStringsSep "," (x: toString x) [ - ssh_tcp - http_tcp - https_tcp - synapse_tcp - gitea_tcp - torrent_a - torrent_b - minecraft_tcp - ]; - open_udp_ports = lib.concatMapStringsSep "," (x: toString x) [ - wireguard_udp - torrent_a - torrent_b - config.services.tailscale.port - ]; - open_tcp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [ - ssh_tcp - http_tcp - https_tcp - prosody_tcp - minecraft_tcp - ]; - open_udp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [ - dns_udp - wireguard_udp - ]; - + openTCP = concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCP; + openUDP = concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDP; + openTCPVPN = concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCPVPN; + openUDPVPN = concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDPVPN; in { networking = { @@ -161,10 +120,11 @@ in ip saddr ${tailscale-net} accept comment "tailscale > local" ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local" - iifname ${wan-if} tcp dport {${open_tcp_ports}} accept - iifname ${wan-if} udp dport {${open_udp_ports}} accept - iifname ${vpn-if} tcp dport {${open_tcp_ports_vpn}} accept - iifname ${vpn-if} udp dport {${open_udp_ports_vpn}} accept + iifname ${wan-if} tcp dport {${openTCP}} accept + iifname ${wan-if} udp dport {${openUDP}} accept + iifname ${vpn-if} tcp dport {${openTCPVPN}} accept + iifname ${vpn-if} udp dport {${openUDPVPN}} accept + iifname ${vpn-if} icmp type echo-request accept iifname ${docker-if} udp dport 53 accept jump filter_drop diff --git a/hosts/architect/gitea.nix b/hosts/architect/gitea.nix index bc1bb3d..3f4c8a9 100644 --- a/hosts/architect/gitea.nix +++ b/hosts/architect/gitea.nix @@ -1,11 +1,12 @@ -{ lib, ... }: +{ config, lib, ... }: let domain = "git.giugl.io"; network = import ./network.nix; - auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; in { + architect.firewall.openTCP = [ config.services.gitea.settings.server.SSH_PORT ]; + services.gitea = { enable = true; database.type = "sqlite3"; diff --git a/hosts/architect/minecraft.nix b/hosts/architect/minecraft.nix index af78431..96a4a35 100644 --- a/hosts/architect/minecraft.nix +++ b/hosts/architect/minecraft.nix @@ -5,6 +5,8 @@ let network = import ./network.nix; in { + architect.firewall.openTCP = [ 25565 ]; + services.minecraft-server = { enable = true; eula = true; diff --git a/hosts/architect/nginx.nix b/hosts/architect/nginx.nix index 0cbfe53..6f053a7 100644 --- a/hosts/architect/nginx.nix +++ b/hosts/architect/nginx.nix @@ -1,6 +1,11 @@ { services, pkgs, lib, ... }: { + architect.firewall = { + openTCP = [ 80 443 ]; + openTCPVPN = [ 80 443 ]; + }; + services.nginx = { enable = true; package = pkgs.openresty; diff --git a/hosts/architect/options.nix b/hosts/architect/options.nix new file mode 100644 index 0000000..5f530b9 --- /dev/null +++ b/hosts/architect/options.nix @@ -0,0 +1,25 @@ +{ config, lib, ... }: + +with lib; + +{ + options.architect.firewall = { + openTCP = mkOption { + type = types.listOf types.int; + default = [ ]; + }; + openUDP = mkOption { + type = types.listOf types.int; + default = [ ]; + }; + openTCPVPN = mkOption { + type = types.listOf types.int; + default = [ ]; + }; + openUDPVPN = mkOption { + type = types.listOf types.int; + default = [ ]; + }; + }; + +} diff --git a/hosts/architect/tailscale.nix b/hosts/architect/tailscale.nix index 49fd1ad..43dcab0 100644 --- a/hosts/architect/tailscale.nix +++ b/hosts/architect/tailscale.nix @@ -1,4 +1,4 @@ -{ lib, ... }: +{ config, lib, ... }: let network = import ./network.nix; @@ -6,6 +6,8 @@ let ifname = "ts0"; in { + architect.firewall.openUDP = [ config.services.tailscale.port ]; + services = { tailscale = { enable = true; diff --git a/hosts/architect/wireguard.nix b/hosts/architect/wireguard.nix index cddca63..bb8b5f9 100644 --- a/hosts/architect/wireguard.nix +++ b/hosts/architect/wireguard.nix @@ -1,4 +1,14 @@ -with import ./network.nix; { +{ config, lib, ... }: +with import ./network.nix; +let + listenPort = 1194; +in +{ + architect.firewall = { + openUDP = lib.singleton listenPort; + openUDPVPN = lib.singleton listenPort; + }; + networking = { extraHosts = '' ${architect-wg} architect.devs.giugl.io @@ -37,7 +47,8 @@ with import ./network.nix; { wireguard = { interfaces.${vpn-if} = { - listenPort = 1194; + inherit listenPort; + ips = [ "10.3.0.1/24" ]; privateKeyFile = "/secrets/wireguard/server.key";