modules/nixos/katnet: Firewall handler

hosts/athame/nixos/default.nix

@@ -29,13 +29,6 @@
 
   deploy.target = "infra";
 
-  security.acme.certs."athame.net.kittywit.ch" = {
-    domain = "athame.net.kittywit.ch";
-    dnsProvider = "rfc2136";
-    credentialsFile = config.secrets.files.dns_creds.path;
-    group = "nginx";
-  };
-
   networking = {
     hostName = "athame";
     domain = "kittywit.ch";
@@ -54,39 +47,8 @@
     interface = "enp1s0";
   };
 
-  networking.firewall.interfaces.hexnet.allowedTCPPorts = [
-    80 # http
-    443 # https
-  ];
-
-  networking.firewall.interfaces.enp1s0.allowedTCPPorts = [
-    80 # http
-    443 # https
-    5160 # asterisk
-    5060 # asterisk
-    8999 # syncplay
-    64738 # murmur
-    1935 # rtmp
-    53589 # taskwarrior
-    5001 # znc
-    62969 # yggdrasil
-  ];
-
-  networking.firewall.interfaces.enp1s0.allowedUDPPorts = [
-    5160 # asterisk
-    5060 # asterisk
-    64738 # murmur
-  ];
-
-  networking.firewall.interfaces.enp1s0.allowedTCPPortRanges = [{
-    from = 10000;
-    to = 20000;
-  }]; # asterisk
-
-  networking.firewall.interfaces.enp1s0.allowedUDPPortRanges = [{
-    from = 10000;
-    to = 20000;
-  }]; # asterisk
+  katnet.public.interfaces = singleton "enp1s0";
+  katnet.private.interfaces = singleton "hexnet";
 
   deploy.tf.dns.records.kittywitch_athame_v6 = {
     tld = "kittywit.ch.";

hosts/athame/nixos/fail2ban.nix

@@ -1,84 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  services.fail2ban = {
-    enable = true;
-    jails = {
-      DEFAULT = ''
-        bantime  = 1d
-        blocktype = DROP
-        logpath  = /var/log/auth.log
-      '';
-      asterisk = ''
-        enabled  = true
-        filter   = asterisk
-        action   = iptables-allports[name=ASTERISK, protocol=all]
-        logpath  = /var/log/asterisk/messages
-        maxretry = 4
-      '';
-      ssh = ''
-        enabled = true
-        filter = sshd
-        maxretry = 4
-        action = iptables[name=SSH, port=ssh, protocol=tcp]
-      '';
-      sshd-ddos = ''
-        enabled  = true
-        filter = sshd-ddos
-        maxretry = 4
-        action   = iptables[name=ssh, port=ssh, protocol=tcp]
-      '';
-      postfix = ''
-        enabled  = true
-        filter   = postfix
-        maxretry = 3
-        action   = iptables[name=postfix, port=smtp, protocol=tcp]
-      '';
-      postfix-sasl = ''
-        enabled  = true
-        filter   = postfix-sasl
-        port     = postfix,imap3,imaps,pop3,pop3s
-        maxretry = 3
-        action   = iptables[name=postfix, port=smtp, protocol=tcp]
-      '';
-      postfix-ddos = ''
-        enabled  = true
-        filter   = postfix-ddos
-        maxretry = 3
-        action   = iptables[name=postfix, port=submission, protocol=tcp]
-        bantime  = 7200
-      '';
-    };
-  };
-
-  environment.etc."fail2ban/filter.d/postfix-sasl.conf" = {
-    enable = true;
-    text = ''
-      # Fail2Ban filter for postfix authentication failures
-      [INCLUDES]
-      before = common.conf
-      [Definition]
-      daemon = postfix/smtpd
-      failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
-    '';
-  };
-
-  environment.etc."fail2ban/filter.d/postfix-ddos.conf" = {
-    enable = true;
-    text = ''
-      [Definition]
-      failregex = lost connection after EHLO from \S+\[<HOST>\]
-    '';
-  };
-
-  environment.etc."fail2ban/filter.d/sshd-ddos.conf" = {
-    enable = true;
-    text = ''
-      [Definition]
-      failregex = sshd(?:\[\d+\])?: Did not receive identification string from <HOST>$
-      ignoreregex =
-    '';
-  };
-
-  systemd.services.fail2ban.serviceConfig.LimitSTACK = 128 * 1024;
-}

hosts/samhain/nixos/default.nix

@@ -93,48 +93,6 @@ in {
   networking.interfaces.enp34s0.useDHCP = true;
   networking.firewall.allowPing = true;
 
-  services.nginx.appendConfig = ''
-    rtmp {
-      server {
-        listen [::]:1935 ipv6only=off;
-        application kattv {
-          live on;
-
-          allow publish all;
-          allow play all;
-        }
-      }
-    }
-  '';
-  
-  networking.firewall.interfaces.enp34s0.allowedTCPPorts = [
-    80 # http
-    443 # https
-  ];
-
-  networking.firewall.interfaces.hexnet.allowedTCPPorts = [
-    80 # http
-    443 # https
-    32101 # mpv
-    443 # https
-    111 # nfs
-    2049 # nfs
-    1935 # rtmp
-  ];
-
-  networking.firewall.interfaces.enp34s0.allowedUDPPorts = [
-    4010 # scream
-    111 # nfs
-    2049 # nfs
-  ];
-
-  networking.firewall.interfaces.hexnet.allowedUDPPorts = [ ];
-
-  networking.firewall.allowedUDPPortRanges = [{
-    from = 32768;
-    to = 60999;
-  }]; # dnla
-
   services.avahi.enable = true;
 
   hexchen.network = {

hosts/samhain/nixos/vm/default.nix

@@ -105,6 +105,8 @@
      };
   */
 
+  katnet.public.tcp.ports = [ 4010 ];
+
   home-manager.users.kat = {
     # audio for vm on startup
     systemd.user.services = {

modules/nixos/katnet/default.nix

@@ -2,12 +2,88 @@
 
 with lib;
 
-{
-  config = mkIf config.hexchen.network.enable {
-    deploy.tf.dns.records."kittywitch_net_${config.networking.hostName}" = {
-      tld = "kittywit.ch.";
-      domain = "${config.networking.hostName}.net";
-      aaaa.address = config.hexchen.network.address;
+let cfg = config.katnet;
+in {
+  options.katnet = {
+    public.tcp.ports = mkOption {
+      type = types.listOf types.port;
+      default = [ ];
+    };
+    public.udp.ports = mkOption {
+      type = types.listOf types.port;
+      default = [ ];
+    };
+    private.tcp.ports = mkOption {
+      type = types.listOf types.port;
+      default = [ ];
+    };
+    private.udp.ports = mkOption {
+      type = types.listOf types.port;
+      default = [ ];
+    };
+
+    public.tcp.ranges = mkOption {
+      type = types.listOf (types.attrsOf types.port);
+      default = [ ];
+    };
+    public.udp.ranges = mkOption {
+      type = types.listOf (types.attrsOf types.port);
+      default = [ ];
+    };
+    private.tcp.ranges = mkOption {
+      type = types.listOf (types.attrsOf types.port);
+      default = [ ];
+    };
+    private.udp.ranges = mkOption {
+      type = types.listOf (types.attrsOf types.port);
+      default = [ ];
+    };
+
+    public.interfaces = mkOption {
+      type = types.listOf types.str;
+      description = "Public firewall interfaces";
+      default = [ ];
+    };
+    private.interfaces = mkOption {
+      type = types.listOf types.str;
+      description = "Private firewall interfaces";
+      default = [ ];
     };
   };
+
+  config = {
+    networking.firewall.interfaces = let
+      fwTypes = {
+        ports = "Ports";
+        ranges = "PortRanges";
+      };
+
+      interfaceDef = visibility:
+        listToAttrs (flatten (mapAttrsToList (type: typeString:
+          map (proto: {
+            name = "allowed${toUpper proto}${typeString}";
+            value = cfg.${visibility}.${proto}.${type};
+          }) [ "tcp" "udp" ]) fwTypes));
+
+      interfaces = visibility:
+        listToAttrs
+        (map (interface: nameValuePair interface (interfaceDef visibility))
+          cfg.${visibility}.interfaces);
+    in mkMerge (map (visibility: interfaces visibility) [ "public" "private" ]);
+
+    deploy.tf.dns.records."kittywitch_net_${config.networking.hostName}" =
+      mkIf config.hexchen.network.enable {
+        tld = "kittywit.ch.";
+        domain = "${config.networking.hostName}.net";
+        aaaa.address = config.hexchen.network.address;
+      };
+
+    security.acme.certs."${config.networking.hostName}.net.kittywit.ch" =
+      mkIf (config.services.nginx.enable && config.hexchen.network.enable) {
+        domain = "${config.networking.hostName}.net.kittywit.ch";
+        dnsProvider = "rfc2136";
+        credentialsFile = config.secrets.files.dns_creds.path;
+        group = "nginx";
+      };
+  };
 }

services/asterisk.nix

@@ -1,6 +1,29 @@
 { config, pkgs, witch, ... }:
 
 {
+  katnet.public.tcp.ports = [ 5160 5060 ];
+  katnet.public.udp.ports = [ 5160 5060 ];
+
+  katnet.public.tcp.ranges = [{
+    from = 10000;
+    to = 20000;
+  }];
+
+  katnet.public.udp.ranges = [{
+    from = 10000;
+    to = 20000;
+  }];
+
+  services.fail2ban.jails = {
+    asterisk = ''
+      enabled  = true
+      filter   = asterisk
+      action   = iptables-allports[name=ASTERISK, protocol=all]
+      logpath  = /var/log/asterisk/messages
+      maxretry = 4
+    '';
+  };
+
   services.asterisk = {
     enable = true;
     confFiles = {

services/mail.nix

@@ -5,6 +5,49 @@ with lib;
 {
   imports = [ sources.nixos-mailserver.outPath ];
 
+  services.fail2ban.jails = {
+    postfix = ''
+      enabled  = true
+      filter   = postfix
+      maxretry = 3
+      action   = iptables[name=postfix, port=smtp, protocol=tcp]
+    '';
+    postfix-sasl = ''
+      enabled  = true
+      filter   = postfix-sasl
+      port     = postfix,imap3,imaps,pop3,pop3s
+      maxretry = 3
+      action   = iptables[name=postfix, port=smtp, protocol=tcp]
+    '';
+    postfix-ddos = ''
+      enabled  = true
+      filter   = postfix-ddos
+      maxretry = 3
+      action   = iptables[name=postfix, port=submission, protocol=tcp]
+      bantime  = 7200
+    '';
+  };
+
+  environment.etc."fail2ban/filter.d/postfix-sasl.conf" = {
+    enable = true;
+    text = ''
+      # Fail2Ban filter for postfix authentication failures
+      [INCLUDES]
+      before = common.conf
+      [Definition]
+      daemon = postfix/smtpd
+      failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
+    '';
+  };
+
+  environment.etc."fail2ban/filter.d/postfix-ddos.conf" = {
+    enable = true;
+    text = ''
+      [Definition]
+      failregex = lost connection after EHLO from \S+\[<HOST>\]
+    '';
+  };
+
   deploy.tf.variables.domainkey_kitty = {
     type = "string";
     value.shellCommand = "bitw get infra/domainkey-kitty";

services/murmur.nix

@@ -1,11 +1,14 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
+
+with lib;
 
 {
+  katnet.public.tcp.ports = singleton 64738;
+  katnet.public.udp.ports = singleton 64738;
+
   services.murmur = {
     enable = true;
-
     hostName = "voice.kittywit.ch";
-
     extraConfig = ''
       sslCert=/var/lib/acme/voice.kittywit.ch/fullchain.pem
       sslKey=/var/lib/acme/voice.kittywit.ch/key.pem

services/nginx.nix

@@ -1,4 +1,6 @@
-{ config, pkgs, witch, tf, ... }:
+{ config, lib, pkgs, witch, tf, ... }:
+
+with lib;
 
 {
   secrets.files.dns_creds = {
@@ -10,6 +12,9 @@
     '';
   };
 
+  katnet.public.tcp.ports = [ 443 80 ];
+  katnet.private.tcp.ports = [ 443 80 ];
+
   services.nginx = {
     enable = true;
     recommendedGzipSettings = true;

services/syncplay.nix

@@ -1,4 +1,6 @@
-{ config, pkgs, witch, ... }:
+{ config, lib, pkgs, witch, ... }:
+
+with lib;
 
 {
   users.users.syncplay = { isSystemUser = true; };
@@ -6,6 +8,8 @@
   users.groups."sync-cert".members = [ "nginx" "syncplay" ];
   security.acme = { certs."sync.kittywit.ch" = { group = "sync-cert"; }; };
 
+  katnet.public.tcp.ports = singleton 8999;
+
   services.nginx.virtualHosts."sync.kittywit.ch" = {
     enableACME = true;
     forceSSL = true;
@@ -23,8 +27,8 @@
       SYNCPLAY_SALT = witch.secrets.hosts.athame.syncplay.salt;
     };
     description = "Syncplay Service";
-    wantedBy = [ "multi-user.target" ];
-    after = [ "network-online.target " ];
+    wantedBy = singleton "multi-user.target";
+    after = singleton "network-online.target";
 
     serviceConfig = {
       ExecStart =

services/taskserver.nix

@@ -1,8 +1,14 @@
 { config, lib, ... }:
 
+with lib;
+
 {
-  services.taskserver.enable = true;
-  services.taskserver.fqdn = "kittywit.ch";
-  services.taskserver.listenHost = "::";
-  services.taskserver.organisations.kittywitch.users = [ "kat" ];
+  katnet.public.tcp.ports = singleton 53589;
+
+  services.taskserver = {
+    enable = true;
+    fqdn = "kittywit.ch";
+    listenHost = "::";
+    organisations.kittywitch.users = singleton "kat";
+  };
 }

services/znc.nix

@@ -1,6 +1,10 @@
-{ config, pkgs, witch, ... }:
+{ config, lib, pkgs, witch, ... }:
+
+with lib;
 
 {
+  katnet.public.tcp.ports = singleton 5001;
+
   services.znc = {
     enable = true;
     mutable = false;