kw.fw reorganising

2026-02-09 20:39:18 -08:00 · 2021-08-08 03:46:00 +01:00 · 2021-08-08 03:46:00 +01:00 · dc6982c5ce
commit dc6982c5ce
parent afa161955d
7 changed files with 44 additions and 24 deletions
--- a/config/hosts/athame/nixos.nix
+++ b/config/hosts/athame/nixos.nix
@ -77,8 +77,10 @@ with lib;

  # Firewall

-  kw.fw.public.interfaces = singleton "enp1s0";
-  kw.fw.private.interfaces = singleton "yggdrasil";
+  kw.fw = {
+    public.interfaces = singleton "enp1s0";
+    private.interfaces = singleton "yggdrasil";
+  };

  # Host-specific DNS Config

--- a/config/hosts/beltane/nixos.nix
+++ b/config/hosts/beltane/nixos.nix
@ -79,10 +79,14 @@ with lib;
    interfaces.eno1.useDHCP = true;
  };

+  kw.dns.ipv4 = "192.168.1.223";
+
  # Firewall

-  kw.fw.private.interfaces = singleton "yggdrasil";
-  kw.fw.public.interfaces = singleton "eno1";
+  kw.fw = {
+    private.interfaces = singleton "yggdrasil";
+    public.interfaces = singleton "eno1";
+  };

  # Yggdrasil

--- a/config/hosts/samhain/nixos.nix
+++ b/config/hosts/samhain/nixos.nix
@ -119,9 +119,12 @@ in {

  # Firewall

-  kw.fw.private.interfaces = singleton "yggdrasil";
-  kw.fw.public.interfaces = singleton "br";
-  kw.fw.private.tcp.ports = [ 10445 ]; # VM Prometheus
+  kw.fw = {
+    public.interfaces = singleton "br";
+    private = {
+      interfaces = singleton "yggdrasil";
+    };
+  };

  # Host-specific DNS Config

--- a/config/hosts/yule/nixos.nix
+++ b/config/hosts/yule/nixos.nix
@ -65,8 +65,10 @@ with lib;

  # Firewall

-  kw.fw.private.interfaces = singleton "yggdrasil";
-  kw.fw.public.interfaces = [ "enp1s0" "wlp2s0" ];
+  kw.fw = {
+    public.interfaces = [ "enp1s0" "wlp2s0" ];
+    private.interfaces = singleton "yggdrasil";
+  };

  # Yggdrasil

--- a/config/modules/nixos/dns.nix
+++ b/config/modules/nixos/dns.nix
@ -40,8 +40,8 @@ with lib;
    kw.dns.ygg_prefix = "net";

    # This should be set in host config if it needs to be set for a host. Otherwise, they're retrieved from terraform.
-    kw.dns.ipv4 = mkIf (tf.resources ? config.networking.hostName) (mkOptionDefault (config.deploy.tf.resources."${config.networking.hostName}".refAttr "ipv4_address"));
-    kw.dns.ipv6 = mkIf (tf.resources ? config.networking.hostName) (mkOptionDefault (config.deploy.tf.resources."${config.networking.hostName}".refAttr "ipv6_address"));
+    kw.dns.ipv4 = mkDefault (mkIf (tf.resources ? config.networking.hostName) (mkOptionDefault (config.deploy.tf.resources."${config.networking.hostName}".refAttr "ipv4_address")));
+    kw.dns.ipv6 = mkDefault (mkIf (tf.resources ? config.networking.hostName) (mkOptionDefault (config.deploy.tf.resources."${config.networking.hostName}".refAttr "ipv6_address")));

    # This is derived.
    kw.dns.domain = builtins.substring 0 ((builtins.stringLength config.kw.dns.tld) - 1) config.kw.dns.tld;
--- a/config/profiles/base/ssh.nix
+++ b/config/profiles/base/ssh.nix
@ -1,17 +1,24 @@
 { config, lib, pkgs, ... }:

-{
-  kw.fw.public.udp.ranges = [{
-    from = 60000;
-    to = 61000;
-  }];
-  kw.fw.private.udp.ranges = [{
-    from = 60000;
-    to = 61000;
-  }];
+with lib;

-  kw.fw.public.tcp.ports = [ 62954 ];
-  kw.fw.private.tcp.ports = [ 62954 ];
+{
+  kw.fw = {
+    public = {
+      tcp.ports = singleton 62954;
+      udp.ranges = [{
+        from = 60000;
+        to = 61000;
+      }];
+    };
+    private = {
+      tcp.ports = singleton 62954;
+      udp.ranges = [{
+        from = 60000;
+        to = 61000;
+      }];
+    };
+  };

  services.openssh = {
    enable = true;
--- a/config/services/nginx/default.nix
+++ b/config/services/nginx/default.nix
@ -12,8 +12,10 @@ with lib;
    '';
  };

-  kw.fw.public.tcp.ports = [ 443 80 ];
-  kw.fw.private.tcp.ports = [ 443 80 ];
+  kw.fw = {
+    public.tcp.ports = [ 443 80 ];
+    private.tcp.ports = [ 443 80 ];
+  };

  services.nginx = {
    enable = true;