2023-05-31 04:25:39 +00:00
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
let
|
|
|
|
cfg = config.sane.ports;
|
|
|
|
|
|
|
|
portOpts = with lib; types.submodule {
|
|
|
|
options = {
|
|
|
|
protocol = mkOption {
|
|
|
|
type = types.listOf (types.enum [ "udp" "tcp" ]);
|
|
|
|
};
|
|
|
|
visibleTo.lan = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = false;
|
|
|
|
# XXX: if a service is visible to the WAN, it ends up visible to the LAN as well.
|
|
|
|
# technically solvable (explicitly drop packets delivered from LAN IPs) but doesn't make much sense.
|
|
|
|
};
|
|
|
|
visibleTo.wan = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = false;
|
|
|
|
};
|
|
|
|
description = mkOption {
|
|
|
|
type = types.str;
|
|
|
|
default = "colin-${config.net.hostName}";
|
|
|
|
description = ''
|
|
|
|
short description of why this port is open.
|
|
|
|
this is shown, for example, in an upstream's UPnP status page.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
# gives networking.firewall value for a given "${port}" = portCfg.
|
|
|
|
firewallConfigForPort = port: portCfg:
|
|
|
|
# any form of visibility means we need to open the firewall
|
2023-10-17 09:42:13 +00:00
|
|
|
lib.mkIf (lib.foldlAttrs (acc: _: vis: acc || vis) false portCfg.visibleTo) {
|
2023-05-31 04:25:39 +00:00
|
|
|
allowedTCPPorts = lib.optional (lib.elem "tcp" portCfg.protocol) (lib.toInt port);
|
|
|
|
allowedUDPPorts = lib.optional (lib.elem "udp" portCfg.protocol) (lib.toInt port);
|
|
|
|
};
|
2023-07-11 01:56:59 +00:00
|
|
|
|
|
|
|
upnpServiceForPort = port: portCfg:
|
|
|
|
lib.mkIf portCfg.visibleTo.wan {
|
|
|
|
"upnp-forward-${port}" = {
|
2023-08-31 01:02:31 +00:00
|
|
|
description = "forward port ${port} (${portCfg.description}) from upstream gateway to this host";
|
2023-07-11 01:56:59 +00:00
|
|
|
restartTriggers = [(builtins.toJSON portCfg)];
|
|
|
|
|
2023-08-31 01:02:31 +00:00
|
|
|
serviceConfig = {
|
|
|
|
Type = "oneshot";
|
|
|
|
TimeoutSec = "6min";
|
2023-09-01 00:30:32 +00:00
|
|
|
Restart = "on-failure";
|
|
|
|
RestartSec = "3min";
|
2023-08-31 01:02:31 +00:00
|
|
|
ExecStart =
|
2023-07-11 01:56:59 +00:00
|
|
|
let
|
|
|
|
portFwd = "${pkgs.sane-scripts.ip-port-forward}/bin/sane-ip-port-forward";
|
2023-10-17 09:42:13 +00:00
|
|
|
forwards = builtins.map (proto: "${proto}:${port}:${portCfg.description}") portCfg.protocol;
|
2023-07-11 01:56:59 +00:00
|
|
|
in ''
|
|
|
|
${portFwd} -v -d ${builtins.toString cfg.upnpLeaseDuration} \
|
|
|
|
${lib.escapeShellArgs forwards}
|
|
|
|
'';
|
2023-08-31 01:02:31 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
after = [ "network.target" ];
|
|
|
|
wantedBy = [ "upnp-forwards.target" ];
|
2023-07-11 01:56:59 +00:00
|
|
|
};
|
|
|
|
};
|
2023-05-31 04:25:39 +00:00
|
|
|
in
|
|
|
|
{
|
|
|
|
options = with lib; {
|
|
|
|
sane.ports = {
|
|
|
|
openFirewall = mkOption {
|
|
|
|
default = false;
|
|
|
|
type = types.bool;
|
|
|
|
};
|
|
|
|
openUpnp = mkOption {
|
|
|
|
default = false;
|
|
|
|
type = types.bool;
|
|
|
|
};
|
|
|
|
upnpRenewInterval = mkOption {
|
2023-07-18 09:54:06 +00:00
|
|
|
default = "hourly";
|
2023-05-31 04:25:39 +00:00
|
|
|
type = types.str;
|
2023-07-18 09:54:06 +00:00
|
|
|
description = ''
|
|
|
|
how frequently to renew UPnP leases.
|
|
|
|
syntax is what systemd uses for Calendar Events:
|
|
|
|
- <https://www.freedesktop.org/software/systemd/man/systemd.time.html#Calendar%20Events>
|
|
|
|
'';
|
2023-05-31 04:25:39 +00:00
|
|
|
};
|
|
|
|
upnpLeaseDuration = mkOption {
|
|
|
|
default = 86400;
|
|
|
|
type = types.int;
|
|
|
|
description = "how long to lease UPnP ports for";
|
|
|
|
};
|
|
|
|
|
|
|
|
ports = mkOption {
|
|
|
|
type = types.attrsOf portOpts;
|
|
|
|
default = {};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
config = lib.mkMerge [
|
|
|
|
(lib.mkIf cfg.openFirewall {
|
|
|
|
networking.firewall = lib.mkMerge (lib.mapAttrsToList firewallConfigForPort cfg.ports);
|
|
|
|
})
|
|
|
|
(lib.mkIf cfg.openUpnp {
|
2023-07-11 01:56:59 +00:00
|
|
|
systemd.services = lib.mkMerge (lib.mapAttrsToList upnpServiceForPort cfg.ports);
|
2023-07-18 09:54:06 +00:00
|
|
|
# in order to run all upnp-forward-xyz services on a regular schedule:
|
|
|
|
# - upnp-forwards.timer
|
|
|
|
# -> activates upnp-forwards.target
|
|
|
|
# -> activates all upnp-forward-xyz.service's
|
|
|
|
#
|
|
|
|
# crucially, the timer only activates the target if upnp-forwards.target is in the "stopped" (or, "inactive") state.
|
|
|
|
# this isn't the case by default. but adding `StopWhenUnneeded` to the target causes it to be considered "stopped"
|
|
|
|
# immediately after it schedules the services.
|
|
|
|
#
|
|
|
|
# additionally, one could add `Upholds = upnp-forwards.target` to all the services if we only want the target to
|
|
|
|
# be stopped after all forwards are complete.
|
|
|
|
# source: <https://serverfault.com/a/1128671>
|
2023-05-31 04:25:39 +00:00
|
|
|
systemd.timers.upnp-forwards = {
|
|
|
|
wantedBy = [ "network.target" ];
|
|
|
|
timerConfig = {
|
2023-07-31 11:06:04 +00:00
|
|
|
OnStartupSec = "75s";
|
2023-07-18 09:54:06 +00:00
|
|
|
OnCalendar = cfg.upnpRenewInterval;
|
2023-12-12 02:14:27 +00:00
|
|
|
RandomizedDelaySec = "180s";
|
2023-07-15 22:08:55 +00:00
|
|
|
Unit = "upnp-forwards.target";
|
2023-05-31 04:25:39 +00:00
|
|
|
};
|
|
|
|
};
|
2023-07-11 01:56:59 +00:00
|
|
|
systemd.targets.upnp-forwards = {
|
|
|
|
description = "forward ports from upstream gateway to this host";
|
|
|
|
after = [ "network.target" ];
|
2023-07-18 09:54:06 +00:00
|
|
|
unitConfig = {
|
|
|
|
StopWhenUnneeded = true;
|
|
|
|
};
|
2023-07-11 01:56:59 +00:00
|
|
|
};
|
|
|
|
})
|
2023-05-31 04:25:39 +00:00
|
|
|
];
|
|
|
|
}
|