gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

refactor(access): simplify firewall conditions

Browse source
This commit is contained in:
arcnmx 2024-05-20 12:19:16 -07:00
parent e51ae1d4ec
commit cd4c855df4
3 changed files with 15 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

13
modules/nixos/access/cidr.nix
View file

@ -4,7 +4,7 @@
lib, lib,
... ...
}: let }: let
inherit (lib.modules) mkIf mkMerge mkOptionDefault; inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault;
inherit (lib.options) mkOption; inherit (lib.options) mkOption;
inherit (lib.lists) optionals; inherit (lib.lists) optionals;
inherit (lib.strings) concatStringsSep; inherit (lib.strings) concatStringsSep;
@ -103,16 +103,19 @@ in {
}; };
config.networking = { config.networking = {
firewall = { firewall.interfaces = {
interfaces.local = { local = {
nftables.conditions = [ nftables.conditions = [
"ip saddr { ${concatStringsSep ", " (cfg.cidrForNetwork.local.v4 ++ cfg.cidrForNetwork.int.v4)} }" "ip saddr { ${concatStringsSep ", " cfg.cidrForNetwork.local.v4} }"
( (
mkIf networking.enableIPv6 mkIf networking.enableIPv6
"ip6 saddr { ${concatStringsSep ", " (cfg.cidrForNetwork.local.v6 ++ cfg.cidrForNetwork.int.v6)} }" "ip6 saddr { ${concatStringsSep ", " cfg.cidrForNetwork.local.v6} }"
) )
]; ];
}; };
lan = {
nftables.conditions = mkIf config.networking.firewall.interfaces.local.nftables.enable (mkDefault config.networking.firewall.interfaces.local.nftables.conditions);
};
}; };
}; };
} }

20
nixos/reisen-ct/proxmox.nix
View file

@ -1,15 +1,13 @@
{ {
config,
system, system,
gensokyo-zone, gensokyo-zone,
lib, lib,
modulesPath, modulesPath,
... ...
}: let }: let
inherit (gensokyo-zone.lib) unmerged coalesce; inherit (gensokyo-zone.lib) unmerged;
inherit (lib.modules) mkIf mkMerge mkDefault; inherit (lib.modules) mkIf mkMerge mkDefault;
inherit (lib.attrsets) mapAttrsToList; inherit (lib.attrsets) mapAttrsToList;
inherit (lib.trivial) mapNullable;
inherit (system) proxmox; inherit (system) proxmox;
in { in {
imports = [ imports = [
@ -32,16 +30,12 @@ in {
}) })
proxmox.network.interfaces)); proxmox.network.interfaces));
networking.firewall.interfaces.lan = let networking.firewall.interfaces = let
inherit (proxmox.network) internal local; inherit (proxmox.network) internal;
conditions = coalesce [ intConditions = ["iifname ${internal.interface.name}"];
(mapNullable (interface: ["iifname ${interface.name}"]) internal.interface)
(mapNullable (interface: config.networking.firewall.interfaces.local.nftables.conditions) local.interface)
];
in in
mkIf (conditions != null) { mkIf (internal.interface != null) {
nftables = { lan.nftables.conditions = intConditions;
inherit conditions; local.nftables.conditions = intConditions;
};
}; };
} }

5
systems/kasen/nixos.nix
View file

@ -49,11 +49,6 @@
}; };
}; };
}; };
networking.firewall.interfaces.lan = {
nftables = {
conditions = config.networking.firewall.interfaces.local.nftables.conditions;
};
};
system.stateVersion = "24.05"; system.stateVersion = "24.05";
} }