Source cleanups and renaming. Module inhousing & changes.

2026-02-09 12:29:19 -08:00 · 2021-07-04 21:50:13 +01:00 · 2021-07-04 21:50:13 +01:00 · b310c0306a
commit b310c0306a
parent af9e6394aa
28 changed files with 315 additions and 119 deletions
--- a/modules/home/default.nix
+++ b/modules/home/default.nix
@ -2,7 +2,7 @@

 {
  disabledModules = [ "programs/vim.nix" ];
-  imports = with (import (sources.arc-nixexprs + "/modules")).home-manager; [ base16 syncplay konawall i3gopher weechat shell ] ++ [
+  imports = with (import (sources.nixexprs + "/modules")).home-manager; [ base16 syncplay konawall i3gopher weechat shell ] ++ [
    ./vim.nix
    ./deploy-tf
    (sources.tf-nix + "/modules/home/secrets.nix")
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@ -1,15 +1,13 @@
 { sources, lib, ... }:

-let hexchen = (import sources.nix-hexchen) { };
-in
 {
  imports = [
-    ./katnet
+    ./nftables
+    ./fw-abstraction
    ./deploy-tf
-    (sources.pbb-nixfiles + "/modules/nftables")
    (sources.tf-nix + "/modules/nixos/secrets.nix")
    (sources.tf-nix + "/modules/nixos/secrets-users.nix")
-    hexchen.modules.hexnet
+    (sources.hexchen + "/modules/hexnet")
  ];

  # stubs for hexchens modules, until more generalized
--- a/modules/nixos/fw-abstraction/default.nix
+++ b/modules/nixos/fw-abstraction/default.nix
@ -2,10 +2,10 @@

 with lib;

-let cfg = config.katnet;
+let cfg = config.kw.fw;
 in
 {
-  options.katnet = {
+  options.kw.fw = {
    public.tcp.ports = mkOption {
      type = types.listOf types.port;
      default = [ ];
--- a/modules/nixos/nftables/default.nix
+++ b/modules/nixos/nftables/default.nix
@ -0,0 +1,134 @@
+{ pkgs, lib, config, modulesPath, ... }:
+
+let
+  fwcfg = config.networking.firewall;
+  cfg = config.kw.nftables;
+
+  doDocker = config.virtualisation.docker.enable && cfg.generateDockerRules;
+
+  mkPorts = cond: ports: ranges: action: let
+    portStrings = (map (range: "${toString range.from}-${toString range.to}") ranges)
+               ++ (map toString ports);
+  in lib.optionalString (portStrings != []) ''
+    ${cond} dport { ${lib.concatStringsSep ", " portStrings} } ${action}
+  '';
+
+  ruleset = ''
+    table inet filter {
+      chain input {
+        type filter hook input priority filter
+        policy ${cfg.inputPolicy}
+
+        icmpv6 type { echo-request, echo-reply, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, packet-too-big } accept
+        icmp type echo-request accept
+
+        ct state invalid drop
+        ct state established,related accept
+
+        iifname { ${
+          lib.concatStringsSep "," (["lo"] ++ fwcfg.trustedInterfaces)
+        } } accept
+
+        ${mkPorts "tcp" fwcfg.allowedTCPPorts fwcfg.allowedTCPPortRanges "accept"}
+        ${mkPorts "udp" fwcfg.allowedUDPPorts fwcfg.allowedUDPPortRanges "accept"}
+
+        ${
+          lib.concatStringsSep "\n" (lib.mapAttrsToList (name: ifcfg:
+              mkPorts "iifname ${name} tcp" ifcfg.allowedTCPPorts ifcfg.allowedTCPPortRanges "accept"
+            + mkPorts "iifname ${name} udp" ifcfg.allowedUDPPorts ifcfg.allowedUDPPortRanges "accept"
+          ) fwcfg.interfaces)
+        }
+
+        # DHCPv6
+        ip6 daddr fe80::/64 udp dport 546 accept
+
+        ${cfg.extraInput}
+
+        counter
+      }
+      chain output {
+        type filter hook output priority filter
+        policy ${cfg.outputPolicy}
+
+        ${cfg.extraOutput}
+
+        counter
+      }
+      chain forward {
+        type filter hook forward priority filter
+        policy ${cfg.forwardPolicy}
+
+        ${lib.optionalString doDocker ''
+          oifname docker0 ct state invalid drop
+          oifname docker0 ct state established,related accept
+          iifname docker0 accept
+        ''}
+
+        ${cfg.extraForward}
+
+        counter
+      }
+    }
+    ${lib.optionalString doDocker ''
+      table ip nat {
+        chain docker-postrouting {
+          type nat hook postrouting priority 10
+          iifname docker0 masquerade
+        }
+      }
+    ''}
+    ${cfg.extraConfig}
+  '';
+
+in {
+  options = with lib; {
+    kw.nftables = {
+      enable = mkEnableOption "nftables firewall";
+
+      extraConfig = mkOption {
+        type = types.lines;
+        default = "";
+      };
+      extraInput = mkOption {
+        type = types.lines;
+        default = "";
+      };
+      extraOutput = mkOption {
+        type = types.lines;
+        default = "";
+      };
+      extraForward = mkOption {
+        type = types.lines;
+        default = "";
+      };
+      inputPolicy = mkOption {
+        type = types.str;
+        default = "drop";
+      };
+      outputPolicy = mkOption {
+        type = types.str;
+        default = "accept";
+      };
+      forwardPolicy = mkOption {
+        type = types.str;
+        default = "accept";
+      };
+      generateDockerRules = mkOption {
+        type = types.bool;
+        default = true;
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    networking.firewall.enable = false;
+    networking.nftables = {
+      enable = true;
+      inherit ruleset;
+    };
+
+    virtualisation.docker = lib.mkIf doDocker {
+      extraOptions = "--iptables=false";
+    };
+  };
+}