diff --git a/modules/nixos/access.nix b/modules/nixos/access.nix index 9a88d3d5..c60d7a9f 100644 --- a/modules/nixos/access.nix +++ b/modules/nixos/access.nix @@ -6,6 +6,7 @@ inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault; inherit (lib.options) mkOption; inherit (lib.lists) optionals; + inherit (lib.strings) concatStringsSep; inherit (config.services) tailscale avahi; inherit (config) networking; inherit (networking) hostName; @@ -83,4 +84,15 @@ in { }; }; }; + + config.networking.firewall = { + interfaces.local = { + nftables.conditions = [ + "ip saddr { ${concatStringsSep ", " networking.access.cidrForNetwork.local.v4} }" + (mkIf networking.enableIPv6 + "ip6 saddr { ${concatStringsSep ", " networking.access.cidrForNetwork.local.v6} }" + ) + ]; + }; + }; } diff --git a/modules/nixos/nftables.nix b/modules/nixos/nftables.nix index 95b1157b..0c9a6a4d 100644 --- a/modules/nixos/nftables.nix +++ b/modules/nixos/nftables.nix @@ -1,6 +1,11 @@ -{ pkgs, lib, config, modulesPath, ... }: +{ lib, config, ... }: let + inherit (lib) types; + inherit (lib.options) mkOption; + inherit (lib.modules) mkIf; + inherit (lib.attrsets) mapAttrsToList; + inherit (lib.strings) optionalString concatStringsSep concatMapStringsSep; fwcfg = config.networking.firewall; cfg = config.networking.nftables; @@ -9,8 +14,8 @@ let mkPorts = cond: ports: ranges: action: let portStrings = (map (range: "${toString range.from}-${toString range.to}") ranges) ++ (map toString ports); - in lib.optionalString (portStrings != []) '' - ${cond} dport { ${lib.concatStringsSep ", " portStrings} } ${action} + in optionalString (portStrings != []) '' + ${cond} dport { ${concatStringsSep "," portStrings} } ${action} ''; ruleset = '' @@ -26,17 +31,17 @@ let ct state established,related accept iifname { ${ - lib.concatStringsSep "," (["lo"] ++ fwcfg.trustedInterfaces) + concatStringsSep "," (["lo"] ++ fwcfg.trustedInterfaces) } } accept ${mkPorts "tcp" fwcfg.allowedTCPPorts fwcfg.allowedTCPPortRanges "accept"} ${mkPorts "udp" fwcfg.allowedUDPPorts fwcfg.allowedUDPPortRanges "accept"} ${ - lib.concatStringsSep "\n" (lib.mapAttrsToList (name: ifcfg: - mkPorts "iifname ${name} tcp" ifcfg.allowedTCPPorts ifcfg.allowedTCPPortRanges "accept" - + mkPorts "iifname ${name} udp" ifcfg.allowedUDPPorts ifcfg.allowedUDPPortRanges "accept" - ) fwcfg.interfaces) + concatStringsSep "\n" (mapAttrsToList (name: ifcfg: concatMapStringsSep "\n" (cond: + mkPorts "${cond} tcp" ifcfg.allowedTCPPorts ifcfg.allowedTCPPortRanges "accept" + + mkPorts "${cond} udp" ifcfg.allowedUDPPorts ifcfg.allowedUDPPortRanges "accept" + ) ifcfg.nftables.conditions) fwcfg.interfaces) } # DHCPv6 @@ -58,7 +63,7 @@ let type filter hook forward priority filter policy ${cfg.forwardPolicy} - ${lib.optionalString doDocker '' + ${optionalString doDocker '' oifname docker0 ct state invalid drop oifname docker0 ct state established,related accept iifname docker0 accept @@ -69,7 +74,7 @@ let counter } } - ${lib.optionalString doDocker '' + ${optionalString doDocker '' table ip nat { chain docker-postrouting { type nat hook postrouting priority 10 @@ -79,9 +84,17 @@ let ''} ${cfg.extraConfig} ''; + interfaceModule = { config, name, ... }: { + options = { + nftables.conditions = mkOption { + type = types.listOf types.str; + default = "iifname ${name}"; + }; + }; + }; in { - options = with lib; { + options = { networking.nftables = { extraConfig = mkOption { type = types.lines; @@ -116,15 +129,18 @@ in { default = true; }; }; + networking.firewall.interfaces = mkOption { + type = types.attrsOf (types.submodule interfaceModule); + }; }; - config = lib.mkIf cfg.enable { + config = mkIf cfg.enable { networking.firewall.enable = false; networking.nftables = { inherit ruleset; }; - virtualisation.docker = lib.mkIf doDocker { + virtualisation.docker = mkIf doDocker { extraOptions = "--iptables=false"; }; }; diff --git a/nixos/base/ssh.nix b/nixos/base/ssh.nix index 39d3721f..4e7af42a 100644 --- a/nixos/base/ssh.nix +++ b/nixos/base/ssh.nix @@ -26,7 +26,10 @@ in with lib; { LogLevel = "VERBOSE"; }; }; - networking.firewall.allowedTCPPorts = [publicPort]; + networking.firewall = { + allowedTCPPorts = [publicPort]; + interfaces.local.allowedTCPPorts = [ 22 ]; + }; programs.mosh.enable = true; } diff --git a/nixos/home-assistant.nix b/nixos/home-assistant.nix index e29d420a..c2359706 100644 --- a/nixos/home-assistant.nix +++ b/nixos/home-assistant.nix @@ -22,7 +22,6 @@ in { services.home-assistant = { enable = mkDefault true; - openFirewall = mkDefault true; mutableUiConfig = mkDefault true; domain = mkDefault "home.${config.networking.domain}"; config = { diff --git a/nixos/mosquitto.nix b/nixos/mosquitto.nix index 2cff50f1..c71f1c02 100644 --- a/nixos/mosquitto.nix +++ b/nixos/mosquitto.nix @@ -30,7 +30,6 @@ in { persistence = mkDefault true; listeners = [ { - openFirewall = mkDefault true; acl = [ "pattern readwrite #" ]; diff --git a/systems/tei/nixos.nix b/systems/tei/nixos.nix index f0e835c6..308e8947 100644 --- a/systems/tei/nixos.nix +++ b/systems/tei/nixos.nix @@ -1,7 +1,12 @@ { + config, + lib, meta, ... -}: { +}: let + inherit (lib.modules) mkIf mkMerge; + inherit (config.services) kanidm mosquitto home-assistant; +in { imports = let inherit (meta) nixos; in [ @@ -24,8 +29,19 @@ sops.defaultSopsFile = ./secrets.yaml; - services.kanidm = { - server.openFirewall = true; + networking.firewall = { + interfaces.local.allowedTCPPorts = mkMerge [ + (mkIf kanidm.enableServer [ + kanidm.server.frontend.port + (mkIf kanidm.server.ldap.enable kanidm.server.ldap.port) + ]) + (mkIf home-assistant.enable [ + home-assistant.config.http.server_port + ]) + (mkIf mosquitto.enable (map (listener: + listener.port + ) mosquitto.listeners)) + ]; }; systemd.network.networks.eth0 = {