servo: enable UPnP port forwarding timer

2023-05-28 20:38:24 +00:00 · 2023-05-28 20:38:24 +00:00 · 35c9f2bf60
commit 35c9f2bf60
parent 13794e9eaa
2 changed files with 54 additions and 7 deletions
--- a/hosts/by-name/servo/net.nix
+++ b/hosts/by-name/servo/net.nix
@ -4,6 +4,7 @@
  networking.domain = "uninsane.org";

  sane.services.wan-ports.openFirewall = true;
+  sane.services.wan-ports.openUpnp = true;

  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
  # Per-interface useDHCP will be mandatory in the future, so this generated config
--- a/modules/services/wan-ports.nix
+++ b/modules/services/wan-ports.nix
@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 let
  cfg = config.sane.services.wan-ports;
 in
@ -9,14 +9,32 @@ in
        default = false;
        type = types.bool;
      };
-
-      # TODO: openUpnp option
+      openUpnp = mkOption {
+        default = false;
+        type = types.bool;
+      };
+      upnpRenewInterval = mkOption {
+        default = "1hr";
+        type = types.str;
+        description = "how frequently to renew UPnP leases";
+      };
+      upnpLeaseDuration = mkOption {
+        default = 86400;
+        type = types.int;
+        description = "how long to lease UPnP ports for";
+      };

      # TODO: rework this to look like:
      # ports.53 = {
      #   protocol = [ "udp" "tcp" ];  # have this be default
      #   visibility = "wan";  # or "lan"
      # }
+      # or maybe:
+      # tcp.ports.53 = {
+      #   visibility = "wan";  # or "lan"
+      # };
+      # and a special convertibleTo to handle port ranges
+      # plus aggregation to convert individual ports back to ranges before doing certain operations (like UPnP?)
      tcp = mkOption {
        type = types.listOf types.int;
        default = [];
@ -28,8 +46,36 @@ in
    };
  };

-  config = lib.mkIf cfg.openFirewall {
-    networking.firewall.allowedTCPPorts = cfg.tcp;
-    networking.firewall.allowedUDPPorts = cfg.udp;
-  };
+  config = lib.mkMerge [
+    (lib.mkIf cfg.openFirewall {
+      networking.firewall.allowedTCPPorts = cfg.tcp;
+      networking.firewall.allowedUDPPorts = cfg.udp;
+    })
+    (lib.mkIf cfg.openUpnp {
+      systemd.services.upnp-forwards = {
+        description = "forward ports from upstream gateway to this host";
+        serviceConfig.Type = "oneshot";
+        restartTriggers = [(builtins.toJSON cfg)];
+
+        after = [ "network.target" ];
+        script =
+          let
+            forwards =
+              (builtins.map (p: "tcp:${builtins.toString p}") cfg.tcp) ++
+              (builtins.map (p: "udp:${builtins.toString p}") cfg.udp);
+          in ''
+            ${pkgs.sane-scripts}/bin/sane-ip-port-forward -v -d ${builtins.toString cfg.upnpLeaseDuration} \
+              ${builtins.concatStringsSep " " forwards}
+          '';
+      };
+
+      systemd.timers.upnp-forwards = {
+        wantedBy = [ "network.target" ];
+        timerConfig = {
+          OnStartupSec = "1min";
+          OnUnitActiveSec = cfg.upnpRenewInterval;
+        };
+      };
+    })
+  ];
 }