ports: hide behind services.sane.wan-ports

later i will use this to enable UPnP on relevant ports
2023-05-26 23:28:30 +00:00 · 2023-05-26 23:28:30 +00:00 · c1ddddddc0
commit c1ddddddc0
parent aae118b476
13 changed files with 56 additions and 9 deletions
--- a/hosts/by-name/servo/default.nix
+++ b/hosts/by-name/servo/default.nix
@ -20,6 +20,7 @@
  sane.zsh.showDeadlines = false;  # ~/knowledge doesn't always exist
  sane.services.dyn-dns.enable = true;
  sane.services.wg-home.enable = true;
+  sane.services.wg-home.enableWan = true;
  sane.services.wg-home.ip = config.sane.hosts.by-name."servo".wg-home.ip;
  # sane.services.duplicity.enable = true;  # TODO: re-enable after HW upgrade

--- a/hosts/by-name/servo/net.nix
+++ b/hosts/by-name/servo/net.nix
@ -3,6 +3,8 @@
 {
  networking.domain = "uninsane.org";

+  sane.services.wan-ports.openFirewall = true;
+
  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
  # Per-interface useDHCP will be mandatory in the future, so this generated config
  # replicates the default behaviour.
--- a/hosts/by-name/servo/services/ejabberd.nix
+++ b/hosts/by-name/servo/services/ejabberd.nix
@ -22,7 +22,7 @@
  sane.persist.sys.plaintext = [
    { user = "ejabberd"; group = "ejabberd"; directory = "/var/lib/ejabberd"; }
  ];
-  networking.firewall.allowedTCPPorts = [
+  sane.services.wan-ports.tcp = [
    3478  # STUN/TURN
    5222  # XMPP  client -> server
    5223  # XMPPS client -> server (XMPP over TLS)
@ -33,9 +33,10 @@
    5349  # STUN/TURN (TLS)
    5443  # web services (file uploads, websockets, admin)
  ];
-  networking.firewall.allowedUDPPorts = [
+  sane.services.wan-ports.udp = [
    3478  # STUN/TURN
  ];
+  # TODO: forward these TURN ports!
  networking.firewall.allowedTCPPortRanges = [{
    from = 49152;  # TURN
    to = 49408;
--- a/hosts/by-name/servo/services/email/dovecot.nix
+++ b/hosts/by-name/servo/services/email/dovecot.nix
@ -6,7 +6,7 @@

 { config, lib, pkgs, ... }:
 {
-  networking.firewall.allowedTCPPorts = [
+  sane.services.wan-ports.tcp = [
    # exposed over non-vpn imap.uninsane.org
    143  # IMAP
    993  # IMAPS
--- a/hosts/by-name/servo/services/email/postfix.nix
+++ b/hosts/by-name/servo/services/email/postfix.nix
@ -28,7 +28,7 @@ in
    # "/var/lib/dovecot"
  ];

-  networking.firewall.allowedTCPPorts = [
+  sane.services.wan-ports.tcp = [
    # exposed over vpn mx.uninsane.org
    25   # SMTP
    465  # SMTPS
--- a/hosts/by-name/servo/services/jellyfin.nix
+++ b/hosts/by-name/servo/services/jellyfin.nix
@ -18,6 +18,7 @@
 {
  # identical to:
  # services.jellyfin.openFirewall = true;
+  # N.B.: these are all for the LAN, so we don't go through `sane.services.wan-ports`.
  networking.firewall.allowedUDPPorts = [
    # https://jellyfin.org/docs/general/networking/index.html
    1900  # UPnP service discovery
--- a/hosts/by-name/servo/services/nginx.nix
+++ b/hosts/by-name/servo/services/nginx.nix
@ -13,7 +13,7 @@ let
 in
 {

-  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  sane.services.wan-ports.tcp = [ 80 443 ];

  services.nginx.enable = true;
  services.nginx.appendConfig = ''
--- a/hosts/by-name/servo/services/prosody.nix
+++ b/hosts/by-name/servo/services/prosody.nix
@ -12,7 +12,7 @@ lib.mkIf false
  sane.persist.sys.plaintext = [
    { user = "prosody"; group = "prosody"; directory = "/var/lib/prosody"; }
  ];
-  networking.firewall.allowedTCPPorts = [
+  sane.services.wan-ports.tcp = [
    5222  # XMPP client -> server
    5269  # XMPP server -> server
    5280  # bosh
--- a/hosts/common/net.nix
+++ b/hosts/common/net.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ lib, ... }:

 {
  # the default backend is "wpa_supplicant".
--- a/hosts/modules/wg-home.nix
+++ b/hosts/modules/wg-home.nix
@ -33,6 +33,11 @@ in
      type = types.bool;
      default = false;
    };
+    sane.services.wg-home.enableWan = mkOption {
+      type = types.bool;
+      default = false;
+      description = "whether to make this port visible on the WAN";
+    };
    sane.services.wg-home.ip = mkOption {
      type = types.str;
    };
@ -51,6 +56,7 @@ in

    # for convenience, have both the server and client use the same port for their wireguard connections.
    networking.firewall.allowedUDPPorts = [ 51820 ];
+    sane.services.wan-ports.udp = lib.mkIf cfg.enableWan [ 51820 ];
    networking.wireguard.interfaces.wg-home = {
      listenPort = 51820;
      privateKeyFile = "/run/wg-home.priv";
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@ -6,5 +6,6 @@
    ./mautrix-signal.nix
    ./nixserve.nix
    ./trust-dns.nix
+    ./wan-ports.nix
  ];
 }
--- a/modules/services/trust-dns.nix
+++ b/modules/services/trust-dns.nix
@ -171,8 +171,8 @@ in

  config = mkIf cfg.enable {
    sane.services.trust-dns.generatedZones = mapAttrs (zone: zcfg: genZone zcfg) cfg.zones;
-    networking.firewall.allowedTCPPorts = [ 53 ];
-    networking.firewall.allowedUDPPorts = [ 53 ];
+    sane.services.wan-ports.tcp = [ 53 ];
+    sane.services.wan-ports.udp = [ 53 ];

    systemd.services.trust-dns = {
      description = "trust-dns DNS server";
--- a/modules/services/wan-ports.nix
+++ b/modules/services/wan-ports.nix
@ -0,0 +1,35 @@
+{ config, lib, ... }:
+let
+  cfg = config.sane.services.wan-ports;
+in
+{
+  options = with lib; {
+    sane.services.wan-ports = {
+      openFirewall = mkOption {
+        default = false;
+        type = types.bool;
+      };
+
+      # TODO: openUpnp option
+
+      # TODO: rework this to look like:
+      # ports.53 = {
+      #   protocol = [ "udp" "tcp" ];  # have this be default
+      #   visibility = "wan";  # or "lan"
+      # }
+      tcp = mkOption {
+        type = types.listOf types.int;
+        default = [];
+      };
+      udp = mkOption {
+        type = types.listOf types.int;
+        default = [];
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.openFirewall {
+    networking.firewall.allowedTCPPorts = cfg.tcp;
+    networking.firewall.allowedUDPPorts = cfg.udp;
+  };
+}