modules/nixos/katnet: Firewall handler

2026-02-09 12:29:19 -08:00 · 2021-04-27 22:25:56 +01:00 · 2021-04-27 22:25:56 +01:00 · 874974c48a
commit 874974c48a
parent ba57815abd
12 changed files with 186 additions and 184 deletions
--- a/modules/nixos/katnet/default.nix
+++ b/modules/nixos/katnet/default.nix
@ -2,12 +2,88 @@

 with lib;

-{
-  config = mkIf config.hexchen.network.enable {
-    deploy.tf.dns.records."kittywitch_net_${config.networking.hostName}" = {
-      tld = "kittywit.ch.";
-      domain = "${config.networking.hostName}.net";
-      aaaa.address = config.hexchen.network.address;
+let cfg = config.katnet;
+in {
+  options.katnet = {
+    public.tcp.ports = mkOption {
+      type = types.listOf types.port;
+      default = [ ];
+    };
+    public.udp.ports = mkOption {
+      type = types.listOf types.port;
+      default = [ ];
+    };
+    private.tcp.ports = mkOption {
+      type = types.listOf types.port;
+      default = [ ];
+    };
+    private.udp.ports = mkOption {
+      type = types.listOf types.port;
+      default = [ ];
+    };
+
+    public.tcp.ranges = mkOption {
+      type = types.listOf (types.attrsOf types.port);
+      default = [ ];
+    };
+    public.udp.ranges = mkOption {
+      type = types.listOf (types.attrsOf types.port);
+      default = [ ];
+    };
+    private.tcp.ranges = mkOption {
+      type = types.listOf (types.attrsOf types.port);
+      default = [ ];
+    };
+    private.udp.ranges = mkOption {
+      type = types.listOf (types.attrsOf types.port);
+      default = [ ];
+    };
+
+    public.interfaces = mkOption {
+      type = types.listOf types.str;
+      description = "Public firewall interfaces";
+      default = [ ];
+    };
+    private.interfaces = mkOption {
+      type = types.listOf types.str;
+      description = "Private firewall interfaces";
+      default = [ ];
    };
  };
+
+  config = {
+    networking.firewall.interfaces = let
+      fwTypes = {
+        ports = "Ports";
+        ranges = "PortRanges";
+      };
+
+      interfaceDef = visibility:
+        listToAttrs (flatten (mapAttrsToList (type: typeString:
+          map (proto: {
+            name = "allowed${toUpper proto}${typeString}";
+            value = cfg.${visibility}.${proto}.${type};
+          }) [ "tcp" "udp" ]) fwTypes));
+
+      interfaces = visibility:
+        listToAttrs
+        (map (interface: nameValuePair interface (interfaceDef visibility))
+          cfg.${visibility}.interfaces);
+    in mkMerge (map (visibility: interfaces visibility) [ "public" "private" ]);
+
+    deploy.tf.dns.records."kittywitch_net_${config.networking.hostName}" =
+      mkIf config.hexchen.network.enable {
+        tld = "kittywit.ch.";
+        domain = "${config.networking.hostName}.net";
+        aaaa.address = config.hexchen.network.address;
+      };
+
+    security.acme.certs."${config.networking.hostName}.net.kittywit.ch" =
+      mkIf (config.services.nginx.enable && config.hexchen.network.enable) {
+        domain = "${config.networking.hostName}.net.kittywit.ch";
+        dnsProvider = "rfc2136";
+        credentialsFile = config.secrets.files.dns_creds.path;
+        group = "nginx";
+      };
+  };
 }