From e5aab58be74888639d6a9abc6c3ddd120ed76c25 Mon Sep 17 00:00:00 2001
From: Giulio De Pasquale <git@depasquale.giugl.io>
Date: Fri, 12 May 2023 14:28:58 +0200
Subject: [PATCH] architect: port firewall to networking attrset

---
 hosts/architect/firewall.nix | 91 +++++++++++++++++++++++-------------
 1 file changed, 58 insertions(+), 33 deletions(-)

diff --git a/hosts/architect/firewall.nix b/hosts/architect/firewall.nix
index b7989cc..3194b36 100644
--- a/hosts/architect/firewall.nix
+++ b/hosts/architect/firewall.nix
@@ -1,13 +1,38 @@
 { config, lib, ... }:
 
-with import ./network.nix;
-with lib;
-
 let
-  openTCP = concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCP;
-  openUDP = concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDP;
-  openTCPVPN = concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCPVPN;
-  openUDPVPN = concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDPVPN;
+  openTCP = lib.concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCP;
+  openUDP = lib.concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDP;
+  openTCPVPN = lib.concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCPVPN;
+  openUDPVPN = lib.concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDPVPN;
+
+  deviceAddress = interface: device: 
+    config.architect.networks.${interface}.devices.${device}.address;
+    
+  gdevices = [
+    (deviceAddress "tailscale" "architect")
+    (deviceAddress "tailscale" "dodino")
+    (deviceAddress "tailscale" "manduria")
+    (deviceAddress "tailscale" "kmerr")
+    (deviceAddress "tailscale" "chuck")
+  ];
+
+  wireguardToWAN = [
+    (deviceAddress "wireguard" "shield")
+    (deviceAddress "wireguard" "parina")
+    (deviceAddress "wireguard" "parina-ipad")
+    (deviceAddress "wireguard" "germano")
+  ];
+
+  frameccaDevices = [
+    (deviceAddress "wireguard" "framecca")
+    (deviceAddress "wireguard" "framecca_one")
+    (deviceAddress "wireguard" "framecca_two")
+    (deviceAddress "wireguard" "framecca_three")
+    (deviceAddress "wireguard" "framecca_four")
+  ];
+  
+  clientToClientWireguard = frameccaDevices;
 in
 {
   networking = {
@@ -17,7 +42,7 @@ in
 
     nftables = {
       enable = true;
-      ruleset = ''
+      ruleset = with config.architect.networks; ''
         table ip raw {
           chain PREROUTING {
             type filter hook prerouting priority raw; policy accept;
@@ -43,11 +68,11 @@ in
 
           chain POSTROUTING {
             type nat hook postrouting priority srcnat; policy accept;
-            oifname ${wan-if} ip saddr {${
-              lib.concatStringsSep "," towan-wg
+            oifname ${lan.interface} ip saddr {${
+              lib.concatStringsSep "," wireguardToWAN
             }} masquerade
-            oifname ${wan-if} ip saddr ${docker-net} masquerade
-            oifname ${wan-if} ip saddr ${tailscale-net} masquerade
+            oifname ${lan.interface} ip saddr ${docker.net} masquerade
+            oifname ${lan.interface} ip saddr ${tailscale.net} masquerade
           }
         }
 
@@ -57,13 +82,13 @@ in
             ct state invalid,untracked drop comment "drop invalid"
             ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
             ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
-            iifname ${wan-if} ip saddr ${vpn-net} drop comment "bind any ip to intf ${wan-if}"
-            iifname ${wan-if} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${wan-if}"
-            iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}"
-            iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}"
-            iifname ${docker-if} ip saddr ${docker-net} accept comment "bind ip ${docker-net} to intf ${docker-if}"
-            iifname ${tailscale-if} ip saddr ${tailscale-net} accept
-            iifname ${tailscale-if} ip saddr 100.100.100.100/32 accept
+            iifname ${lan.interface} ip saddr ${wireguard.net} drop comment "bind any ip to intf ${lan.interface}"
+            iifname ${lan.interface} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${lan.interface}"
+            iifname ${lan.interface} accept comment "bind any ip to intf ${lan.interface}"
+            iifname ${wireguard.interface} ip saddr ${wireguard.net} accept comment "bind ip ${wireguard.net} to intf ${wireguard.interface}"
+            iifname ${docker.interface} ip saddr ${docker.net} accept comment "bind ip ${docker.net} to intf ${docker.interface}"
+            iifname ${tailscale.interface} ip saddr ${tailscale.net} accept
+            iifname ${tailscale.interface} ip saddr 100.100.100.100/32 accept
             iifname "lo" accept comment "bind any ip to intf lo"
             jump mangle_drop
           }
@@ -116,17 +141,17 @@ in
             iifname "lo" accept comment "loopback"
             ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
             ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
-            ip saddr ${lan-net} accept comment "lan > local"
-            ip saddr ${tailscale-net} accept comment "tailscale > local"
+            ip saddr ${lan.net} accept comment "lan > local"
+            ip saddr ${tailscale.net} accept comment "tailscale > local"
             ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local"
 
-            iifname ${wan-if} tcp dport {${openTCP}} accept
-            iifname ${wan-if} udp dport {${openUDP}} accept
-            iifname ${vpn-if} tcp dport {${openTCPVPN}} accept
-            iifname ${vpn-if} udp dport {${openUDPVPN}} accept
+            iifname ${lan.interface} tcp dport {${openTCP}} accept
+            iifname ${lan.interface} udp dport {${openUDP}} accept
+            iifname ${wireguard.interface} tcp dport {${openTCPVPN}} accept
+            iifname ${wireguard.interface} udp dport {${openUDPVPN}} accept
                       
-            iifname ${vpn-if} icmp type echo-request accept
-            iifname ${docker-if} udp dport 53 accept
+            iifname ${wireguard.interface} icmp type echo-request accept
+            iifname ${docker.interface} udp dport 53 accept
             jump filter_drop
           }
 
@@ -135,17 +160,17 @@ in
             ct state established,related accept
 
             # client to client
-            ip saddr {${lib.concatStringsSep "," c2c-wg}} ip daddr {${
-               lib.concatStringsSep "," c2c-wg
+            ip saddr {${lib.concatStringsSep "," clientToClientWireguard}} ip daddr {${
+               lib.concatStringsSep "," clientToClientWireguard
             }} accept                    
                     
             # nat to wan
-            oifname ${wan-if} ip saddr {${
-              lib.concatStringsSep "," towan-wg
+            oifname ${lan.interface} ip saddr {${
+              lib.concatStringsSep "," wireguardToWAN
             }} accept
 
-            oifname ${wan-if} ip saddr ${docker-net} accept
-            oifname ${wan-if} ip saddr ${tailscale-net} accept
+            oifname ${lan.interface} ip saddr ${docker.net} accept
+            oifname ${lan.interface} ip saddr ${tailscale.net} accept
                     
             jump filter_drop
           }