architect: Refactored firewall settings. Added architect.firewall option

flake.nix

@@ -18,26 +18,31 @@
       wrapPkgsSystem = { system }:
         import nixpkgs rec {
           inherit system;
-          unstable = wrapUnstablePkgsSystem { inherit system; };
+          
+          unstablePkgs = wrapUnstablePkgsSystem { inherit system; };
           config.allowUnfree = true;
           overlays = [
-            (final: prev: { inherit unstable; })
+            (final: prev: { inherit unstablePkgs; })
           ];
         };
 
       wrapUnstablePkgsSystem = { system }:
         import nixos-unstable {
           inherit system;
+          
           config.allowUnfree = true;
         };
 
-      wrapUtils = { pkgs, unstable, system }:
+      wrapUtils = { pkgs, unstablePkgs, system }:
         let
           inherit (pkgs.lib) makeScope;
           inherit (pkgs) newScope;
         in
-        makeScope newScope (self: {
+        makeScope newScope (self: rec {
           inherit nixpkgs home-manager nixos-unstable;
+          inherit (self.callPackage ./lib/utils.nix { }) mkSysRole mkHomeRole;
+          inherit (user) mkUser;
+
           user = self.callPackage ./lib/user.nix { };
           host = self.callPackage ./lib/host.nix { };
         });
@@ -45,15 +50,15 @@
 
       pkgsLinuxX64 = wrapPkgsSystem { system = sysLinuxX64; };
       unstableLinuxX64 = wrapUnstablePkgsSystem { system = sysLinuxX64; };
-      utilsLinuxX64 = wrapUtils { system = sysLinuxX64; pkgs = pkgsLinuxX64; unstable = unstableLinuxX64; };
+      utilsLinuxX64 = wrapUtils { system = sysLinuxX64; pkgs = pkgsLinuxX64; unstablePkgs = unstableLinuxX64; };
 
       pkgsLinuxAarch = wrapPkgsSystem { system = sysLinuxAarch; };
       unstableLinuxAarch = wrapUnstablePkgsSystem { system = sysLinuxAarch; };
-      utilsLinuxAarch = wrapUtils { system = sysLinuxAarch; pkgs = pkgsLinuxAarch; unstable = unstableLinuxAarch; };
+      utilsLinuxAarch = wrapUtils { system = sysLinuxAarch; pkgs = pkgsLinuxAarch; unstablePkgs = unstableLinuxAarch; };
 
       pkgsDarwin = wrapPkgsSystem { system = sysDarwin; };
       unstableDarwin = wrapUnstablePkgsSystem { system = sysDarwin; };
-      utilsDarwin = wrapUtils { system = sysDarwin; pkgs = pkgsDarwin; unstable = unstableDarwin; };
+      utilsDarwin = wrapUtils { system = sysDarwin; pkgs = pkgsDarwin; unstablePkgs = unstableDarwin; };
     in
     {
       nixosConfigurations = {

hosts/architect/default.nix

@@ -9,7 +9,7 @@ let
 in
 {
   imports = [
-    # Include the results of the hardware scan.
+    ./options.nix
     ./backup.nix
     ./hardware.nix
     ./firewall.nix
@@ -132,6 +132,11 @@ in
     driSupport = true;
   };
 
+  architect.firewall = {
+    openTCP = [ 22 ];
+    openTCPVPN = [ 22 ];
+  };
+  
   services = {
     fwupd.enable = true;
     das_watchdog.enable = true;

hosts/architect/deluge.nix

@@ -4,8 +4,15 @@ let
   domain = "htdel.giugl.io";
   network = import ./network.nix;
   auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
+
+  listenPorts = [ 51413 51414 ];
 in
 {
+  architect.firewall = {
+    openTCP = listenPorts;
+    openUDP = listenPorts;
+  };
+
   services = {
     deluge = {
       enable = true;
@@ -24,7 +31,7 @@ in
         max_connections_global = 1000;
         max_active_limit = 100;
         max_active_downloading = 100;
-        listen_ports = [ 51413 51414 ];
+        listen_ports = listenPorts;
         random_port = false;
         enabled_plugins = [ "Label" "Extractor" ];
       };

hosts/architect/dns.nix

@@ -6,6 +6,8 @@ let
   dnscrypt_listen_port = "5353";
 in
 {
+  architect.firewall.openUDPVPN = [ 53 ];
+
   services = {
     dnsmasq = {
       enable = true;

hosts/architect/firewall.nix

@@ -1,54 +1,13 @@
 { config, lib, ... }:
 
 with import ./network.nix;
+with lib;
 
 let
-  # TCP services
-  ssh_tcp = 22;
-  http_tcp = 80;
-  https_tcp = 443;
-  synapse_tcp = 8448;
-  gitea_tcp = 10022;
-  prosody_tcp = 5222;
-  minecraft_tcp = 25565;
-
-  # UDP services
-  dns_udp = 53;
-  wireguard_udp = 1194;
-
-  # TCP/UDP services
-  torrent_a = 51413;
-  torrent_b = 51414;
-
-  # grouping
-  open_tcp_ports = lib.concatMapStringsSep "," (x: toString x) [
-    ssh_tcp
-    http_tcp
-    https_tcp
-    synapse_tcp
-    gitea_tcp
-    torrent_a
-    torrent_b
-    minecraft_tcp
-  ];
-  open_udp_ports = lib.concatMapStringsSep "," (x: toString x) [
-    wireguard_udp
-    torrent_a
-    torrent_b
-    config.services.tailscale.port
-  ];
-  open_tcp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [
-    ssh_tcp
-    http_tcp
-    https_tcp
-    prosody_tcp
-    minecraft_tcp
-  ];
-  open_udp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [
-    dns_udp
-    wireguard_udp
-  ];
-
+  openTCP = concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCP;
+  openUDP = concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDP;
+  openTCPVPN = concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCPVPN;
+  openUDPVPN = concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDPVPN;
 in
 {
   networking = {
@@ -161,10 +120,11 @@ in
             ip saddr ${tailscale-net} accept comment "tailscale > local"
             ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local"
 
-            iifname ${wan-if} tcp dport {${open_tcp_ports}} accept
-            iifname ${wan-if} udp dport {${open_udp_ports}} accept
-            iifname ${vpn-if} tcp dport {${open_tcp_ports_vpn}} accept
-            iifname ${vpn-if} udp dport {${open_udp_ports_vpn}} accept
+            iifname ${wan-if} tcp dport {${openTCP}} accept
+            iifname ${wan-if} udp dport {${openUDP}} accept
+            iifname ${vpn-if} tcp dport {${openTCPVPN}} accept
+            iifname ${vpn-if} udp dport {${openUDPVPN}} accept
+                      
             iifname ${vpn-if} icmp type echo-request accept
             iifname ${docker-if} udp dport 53 accept
             jump filter_drop

hosts/architect/gitea.nix

@@ -1,11 +1,12 @@
-{ lib, ... }:
+{ config, lib, ... }:
 
 let
   domain = "git.giugl.io";
   network = import ./network.nix;
-  auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
 in
 {
+  architect.firewall.openTCP = [ config.services.gitea.settings.server.SSH_PORT ];
+
   services.gitea = {
     enable = true;
     database.type = "sqlite3";

hosts/architect/invidious.nix

@@ -9,7 +9,7 @@ in
     invidious = {
       enable = true;
       port = 9092;
-      package = pkgs.unstable.invidious;
+      package = pkgs.unstablePkgs.invidious;
     };
 
     nginx.virtualHosts.${domain} = {

hosts/architect/jellyfin.nix

@@ -13,7 +13,7 @@ in
     jellyfin = {
       enable = true;
       group = "media";
-      package = pkgs.unstable.jellyfin;
+      package = pkgs.unstablePkgs.jellyfin;
     };
 
     nginx.virtualHosts.${domain} = {

hosts/architect/minecraft.nix

@@ -5,11 +5,13 @@ let
   network = import ./network.nix;
 in
 {
+  architect.firewall.openTCP = [ 25565 ];
+  
   services.minecraft-server = {
     enable = true;
     eula = true;
     declarative = true;
-    package = pkgs.unstable.minecraft-server;
+    package = pkgs.unstablePkgs.minecraft-server;
     serverProperties = { motd = "Welcome on the RuNas server!"; };
   };
 

hosts/architect/nextcloud.nix

@@ -9,7 +9,7 @@ in
   services = {
     mysql = {
       enable = true;
-      package = pkgs.unstable.mysql80;
+      package = pkgs.unstablePkgs.mysql80;
     };
 
     redis = {
@@ -24,7 +24,7 @@ in
       enable = true;
       hostName = domain;
       https = true;
-      package = pkgs.unstable.nextcloud25;
+      package = pkgs.unstablePkgs.nextcloud25;
       datadir = "/services/nextcloud";
       caching = {
         redis = true;

hosts/architect/nginx.nix

@@ -1,6 +1,11 @@
 { services, pkgs, lib, ... }:
 
 {
+  architect.firewall = {
+    openTCP = [ 80 443 ];
+    openTCPVPN = [ 80 443 ];
+  };
+
   services.nginx = {
     enable = true;
     package = pkgs.openresty;

hosts/architect/nitter.nix

@@ -12,7 +12,7 @@ in
       server = {
         port = 9093;
         hostname = domain;
-        staticDir = "${pkgs.unstable.nitter}/share/nitter/public";
+        staticDir = "${pkgs.unstablePkgs.nitter}/share/nitter/public";
       };
       preferences = {
         replaceYouTube = "tube.giugl.io";

hosts/architect/options.nix

@@ -0,0 +1,25 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+  options.architect.firewall = {
+    openTCP = mkOption {
+      type = types.listOf types.int;
+      default = [ ];
+    };
+    openUDP = mkOption {
+      type = types.listOf types.int;
+      default = [ ];
+    };
+    openTCPVPN = mkOption {
+      type = types.listOf types.int;
+      default = [ ];
+    };
+    openUDPVPN = mkOption {
+      type = types.listOf types.int;
+      default = [ ];
+    };
+  };
+
+}

hosts/architect/plex.nix

@@ -7,7 +7,7 @@ in
 {
   services.plex = {
     enable = true;
-    package = pkgs.unstable.plex;
+    package = pkgs.unstablePkgs.plex;
     dataDir = "/plex";
   };
 

hosts/architect/tailscale.nix

@@ -1,4 +1,4 @@
-{ lib, ... }:
+{ config, lib, ... }:
 
 let
   network = import ./network.nix;
@@ -6,6 +6,8 @@ let
   ifname = "ts0";
 in
 {
+  architect.firewall.openUDP = [ config.services.tailscale.port ];
+
   services = {
     tailscale = {
       enable = true;

hosts/architect/wireguard.nix

@@ -1,4 +1,14 @@
-with import ./network.nix; {
+{ config, lib, ... }:
+with import ./network.nix;
+let
+  listenPort = 1194;
+in
+{
+  architect.firewall = {
+    openUDP = lib.singleton listenPort;
+    openUDPVPN = lib.singleton listenPort;
+  };
+
   networking = {
     extraHosts = ''
       ${architect-wg} architect.devs.giugl.io
@@ -37,7 +47,8 @@ with import ./network.nix; {
 
     wireguard = {
       interfaces.${vpn-if} = {
-        listenPort = 1194;
+        inherit listenPort;
+
         ips = [ "10.3.0.1/24" ];
         privateKeyFile = "/secrets/wireguard/server.key";
 

lib/host.nix

@@ -1,18 +1,26 @@
-{ pkgs, nixpkgs, nixos-unstable, unstable, home-manager, user, system, ... }:
+{ pkgs
+, nixpkgs
+, nixos-unstable
+, unstablePkgs
+, home-manager
+, system
+, mkHomeRole
+, mkSysRole
+, mkUser
+, ...
+}:
 
 {
   mkHost = { name, users, roles ? [ ], imports ? [ ] }:
     let
-      mkRole = role: pkgs.callPackage (../roles + "/${role}.nix") { };
-
       users_mod = (map
         (u:
-          user.mkUser {
+          mkUser {
             name = u.user;
             roles = u.roles;
           })
         users);
-      roles_mod = (map (r: mkRole r) roles);
+      roles_mod = (map (r: mkSysRole r) roles);
       add_imports = imports;
     in
     nixpkgs.lib.nixosSystem {
@@ -20,26 +28,36 @@
 
       modules = [
         {
-          imports = users_mod ++ roles_mod ++ add_imports;
+          imports = users_mod ++ roles_mod ++ add_imports ++ [
+            (mkSysRole "common")
+            (mkSysRole "acme")
+          ];
+
           nixpkgs = { inherit pkgs; };
 
-          nix.nixPath = [ "nixpkgs=${nixpkgs}" "unstable=${nixos-unstable}" ];
-          nix.registry.nixpkgs.flake = nixpkgs;
-          nix.registry.unstable.flake = nixos-unstable;
+          nix = {
+            nixPath = [
+              "nixpkgs=${nixpkgs}"
+              "unstable=${nixos-unstable}"
+            ];
+            registry = {
+              nixpkgs.flake = nixpkgs;
+              unstable.flake = nixos-unstable;
+            };
+          };
 
           users.users.root = { shell = pkgs.zsh; };
 
           home-manager = {
-            users.root.imports = [ ../roles/home/common.nix ];
-            extraSpecialArgs.unstable = unstable;
+            users.root.imports = pkgs.lib.singleton (mkHomeRole "common");
+            extraSpecialArgs.unstablePkgs = unstablePkgs;
             useGlobalPkgs = true;
           };
+
           system.stateVersion = "22.11";
         }
 
         home-manager.nixosModules.home-manager
-        ../roles/common.nix
-        ../roles/acme.nix
         ../hosts/${name}/default.nix
       ];
     };

lib/user.nix

@@ -1,10 +1,9 @@
-{ pkgs, unstable, home-manager, ... }:
+{ pkgs, home-manager, mkHomeRole, ... }:
 
 {
   mkUser = { name, roles ? [ ] }:
     let
-      mkRole = role: import (../roles/home + "/${role}.nix");
-      roles_mod = (map (r: mkRole r) roles);
+      roles_mod = (map (r: mkHomeRole r) roles);
     in
     {
       users.groups.plugdev = { };
@@ -21,13 +20,12 @@
         extraGroups = [ "wheel" "plugdev" ];
       };
 
-      home-manager.users.${name}.imports = [ (mkRole "common") ] ++ roles_mod;
+      home-manager.users.${name}.imports = [ (mkHomeRole "common") ] ++ roles_mod;
     };
 
-  mkHMUser = { name, roles }:
+  mkHMUser = { name, roles ? [ ] }:
     let
-      mkRole = role: import (../roles/home + "/${role}.nix");
-      roles_mod = (map (r: mkRole r) roles);
+      roles_mod = (map (r: mkHomeRole r) roles);
     in
     home-manager.lib.homeManagerConfiguration {
       inherit pkgs;
@@ -39,7 +37,7 @@
               if pkgs.stdenv.isLinux then "/home/${name}" else "/Users/${name}";
           };
         }
-        (mkRole "common")
+        (mkHomeRole "common")
       ] ++ roles_mod;
     };
 }

lib/utils.nix

@@ -0,0 +1,6 @@
+{ ... }:
+
+{
+  mkSysRole = role: import (../roles/${role}.nix);
+  mkHomeRole = role: import (../roles/home/${role}.nix);
+}

roles/gnome.nix

@@ -22,7 +22,7 @@
   environment.systemPackages = with pkgs; [
     gnomeExtensions.appindicator
     gnomeExtensions.sound-output-device-chooser
-    pkgs.unstable.gnomeExtensions.pop-shell
+    pkgs.unstablePkgs.gnomeExtensions.pop-shell
   ];
   security.pam.services.gdm.enableGnomeKeyring = true;
 }

roles/home/helix.nix

@@ -33,7 +33,7 @@
       formatter = { command = "nixpkgs-fmt" }
     '';
 
-    packages = with pkgs.unstable; [
+    packages = with pkgs.unstablePkgs; [
       helix
       clang-tools
       rust-analyzer