diff --git a/config/hosts/athame/nixos.nix b/config/hosts/athame/nixos.nix index 1e786317..63d1b9ee 100644 --- a/config/hosts/athame/nixos.nix +++ b/config/hosts/athame/nixos.nix @@ -77,8 +77,10 @@ with lib; # Firewall - kw.fw.public.interfaces = singleton "enp1s0"; - kw.fw.private.interfaces = singleton "yggdrasil"; + kw.fw = { + public.interfaces = singleton "enp1s0"; + private.interfaces = singleton "yggdrasil"; + }; # Host-specific DNS Config diff --git a/config/hosts/beltane/nixos.nix b/config/hosts/beltane/nixos.nix index b4820d6d..3832285f 100644 --- a/config/hosts/beltane/nixos.nix +++ b/config/hosts/beltane/nixos.nix @@ -79,10 +79,14 @@ with lib; interfaces.eno1.useDHCP = true; }; + kw.dns.ipv4 = "192.168.1.223"; + # Firewall - kw.fw.private.interfaces = singleton "yggdrasil"; - kw.fw.public.interfaces = singleton "eno1"; + kw.fw = { + private.interfaces = singleton "yggdrasil"; + public.interfaces = singleton "eno1"; + }; # Yggdrasil diff --git a/config/hosts/samhain/nixos.nix b/config/hosts/samhain/nixos.nix index d9d8d248..800b7401 100644 --- a/config/hosts/samhain/nixos.nix +++ b/config/hosts/samhain/nixos.nix @@ -119,9 +119,12 @@ in { # Firewall - kw.fw.private.interfaces = singleton "yggdrasil"; - kw.fw.public.interfaces = singleton "br"; - kw.fw.private.tcp.ports = [ 10445 ]; # VM Prometheus + kw.fw = { + public.interfaces = singleton "br"; + private = { + interfaces = singleton "yggdrasil"; + }; + }; # Host-specific DNS Config diff --git a/config/hosts/yule/nixos.nix b/config/hosts/yule/nixos.nix index a3f8f67e..f362a526 100644 --- a/config/hosts/yule/nixos.nix +++ b/config/hosts/yule/nixos.nix @@ -65,8 +65,10 @@ with lib; # Firewall - kw.fw.private.interfaces = singleton "yggdrasil"; - kw.fw.public.interfaces = [ "enp1s0" "wlp2s0" ]; + kw.fw = { + public.interfaces = [ "enp1s0" "wlp2s0" ]; + private.interfaces = singleton "yggdrasil"; + }; # Yggdrasil diff --git a/config/modules/nixos/dns.nix b/config/modules/nixos/dns.nix index 8e766a0e..0f9a92e0 100644 --- a/config/modules/nixos/dns.nix +++ b/config/modules/nixos/dns.nix @@ -40,8 +40,8 @@ with lib; kw.dns.ygg_prefix = "net"; # This should be set in host config if it needs to be set for a host. Otherwise, they're retrieved from terraform. - kw.dns.ipv4 = mkIf (tf.resources ? config.networking.hostName) (mkOptionDefault (config.deploy.tf.resources."${config.networking.hostName}".refAttr "ipv4_address")); - kw.dns.ipv6 = mkIf (tf.resources ? config.networking.hostName) (mkOptionDefault (config.deploy.tf.resources."${config.networking.hostName}".refAttr "ipv6_address")); + kw.dns.ipv4 = mkDefault (mkIf (tf.resources ? config.networking.hostName) (mkOptionDefault (config.deploy.tf.resources."${config.networking.hostName}".refAttr "ipv4_address"))); + kw.dns.ipv6 = mkDefault (mkIf (tf.resources ? config.networking.hostName) (mkOptionDefault (config.deploy.tf.resources."${config.networking.hostName}".refAttr "ipv6_address"))); # This is derived. kw.dns.domain = builtins.substring 0 ((builtins.stringLength config.kw.dns.tld) - 1) config.kw.dns.tld; diff --git a/config/profiles/base/ssh.nix b/config/profiles/base/ssh.nix index b884e406..bf962c28 100644 --- a/config/profiles/base/ssh.nix +++ b/config/profiles/base/ssh.nix @@ -1,17 +1,24 @@ { config, lib, pkgs, ... }: -{ - kw.fw.public.udp.ranges = [{ - from = 60000; - to = 61000; - }]; - kw.fw.private.udp.ranges = [{ - from = 60000; - to = 61000; - }]; +with lib; - kw.fw.public.tcp.ports = [ 62954 ]; - kw.fw.private.tcp.ports = [ 62954 ]; +{ + kw.fw = { + public = { + tcp.ports = singleton 62954; + udp.ranges = [{ + from = 60000; + to = 61000; + }]; + }; + private = { + tcp.ports = singleton 62954; + udp.ranges = [{ + from = 60000; + to = 61000; + }]; + }; + }; services.openssh = { enable = true; diff --git a/config/services/nginx/default.nix b/config/services/nginx/default.nix index b1d07211..fae38918 100644 --- a/config/services/nginx/default.nix +++ b/config/services/nginx/default.nix @@ -12,8 +12,10 @@ with lib; ''; }; - kw.fw.public.tcp.ports = [ 443 80 ]; - kw.fw.private.tcp.ports = [ 443 80 ]; + kw.fw = { + public.tcp.ports = [ 443 80 ]; + private.tcp.ports = [ 443 80 ]; + }; services.nginx = { enable = true;