From c1ddddddc02d054c34fb18e6684d958267531340 Mon Sep 17 00:00:00 2001 From: Colin Date: Fri, 26 May 2023 23:28:30 +0000 Subject: [PATCH] ports: hide behind services.sane.wan-ports later i will use this to enable UPnP on relevant ports --- hosts/by-name/servo/default.nix | 1 + hosts/by-name/servo/net.nix | 2 ++ hosts/by-name/servo/services/ejabberd.nix | 5 +-- .../by-name/servo/services/email/dovecot.nix | 2 +- .../by-name/servo/services/email/postfix.nix | 2 +- hosts/by-name/servo/services/jellyfin.nix | 1 + hosts/by-name/servo/services/nginx.nix | 2 +- hosts/by-name/servo/services/prosody.nix | 2 +- hosts/common/net.nix | 2 +- hosts/modules/wg-home.nix | 6 ++++ modules/services/default.nix | 1 + modules/services/trust-dns.nix | 4 +-- modules/services/wan-ports.nix | 35 +++++++++++++++++++ 13 files changed, 56 insertions(+), 9 deletions(-) create mode 100644 modules/services/wan-ports.nix diff --git a/hosts/by-name/servo/default.nix b/hosts/by-name/servo/default.nix index 079430ff..d075e50b 100644 --- a/hosts/by-name/servo/default.nix +++ b/hosts/by-name/servo/default.nix @@ -20,6 +20,7 @@ sane.zsh.showDeadlines = false; # ~/knowledge doesn't always exist sane.services.dyn-dns.enable = true; sane.services.wg-home.enable = true; + sane.services.wg-home.enableWan = true; sane.services.wg-home.ip = config.sane.hosts.by-name."servo".wg-home.ip; # sane.services.duplicity.enable = true; # TODO: re-enable after HW upgrade diff --git a/hosts/by-name/servo/net.nix b/hosts/by-name/servo/net.nix index 887dbb63..3b6b3b47 100644 --- a/hosts/by-name/servo/net.nix +++ b/hosts/by-name/servo/net.nix @@ -3,6 +3,8 @@ { networking.domain = "uninsane.org"; + sane.services.wan-ports.openFirewall = true; + # The global useDHCP flag is deprecated, therefore explicitly set to false here. # Per-interface useDHCP will be mandatory in the future, so this generated config # replicates the default behaviour. diff --git a/hosts/by-name/servo/services/ejabberd.nix b/hosts/by-name/servo/services/ejabberd.nix index c1aa79bc..57445bfa 100644 --- a/hosts/by-name/servo/services/ejabberd.nix +++ b/hosts/by-name/servo/services/ejabberd.nix @@ -22,7 +22,7 @@ sane.persist.sys.plaintext = [ { user = "ejabberd"; group = "ejabberd"; directory = "/var/lib/ejabberd"; } ]; - networking.firewall.allowedTCPPorts = [ + sane.services.wan-ports.tcp = [ 3478 # STUN/TURN 5222 # XMPP client -> server 5223 # XMPPS client -> server (XMPP over TLS) @@ -33,9 +33,10 @@ 5349 # STUN/TURN (TLS) 5443 # web services (file uploads, websockets, admin) ]; - networking.firewall.allowedUDPPorts = [ + sane.services.wan-ports.udp = [ 3478 # STUN/TURN ]; + # TODO: forward these TURN ports! networking.firewall.allowedTCPPortRanges = [{ from = 49152; # TURN to = 49408; diff --git a/hosts/by-name/servo/services/email/dovecot.nix b/hosts/by-name/servo/services/email/dovecot.nix index 9c8f1c5b..ac63fcd5 100644 --- a/hosts/by-name/servo/services/email/dovecot.nix +++ b/hosts/by-name/servo/services/email/dovecot.nix @@ -6,7 +6,7 @@ { config, lib, pkgs, ... }: { - networking.firewall.allowedTCPPorts = [ + sane.services.wan-ports.tcp = [ # exposed over non-vpn imap.uninsane.org 143 # IMAP 993 # IMAPS diff --git a/hosts/by-name/servo/services/email/postfix.nix b/hosts/by-name/servo/services/email/postfix.nix index b6539547..a0e6becf 100644 --- a/hosts/by-name/servo/services/email/postfix.nix +++ b/hosts/by-name/servo/services/email/postfix.nix @@ -28,7 +28,7 @@ in # "/var/lib/dovecot" ]; - networking.firewall.allowedTCPPorts = [ + sane.services.wan-ports.tcp = [ # exposed over vpn mx.uninsane.org 25 # SMTP 465 # SMTPS diff --git a/hosts/by-name/servo/services/jellyfin.nix b/hosts/by-name/servo/services/jellyfin.nix index 438e2e39..f9f3980d 100644 --- a/hosts/by-name/servo/services/jellyfin.nix +++ b/hosts/by-name/servo/services/jellyfin.nix @@ -18,6 +18,7 @@ { # identical to: # services.jellyfin.openFirewall = true; + # N.B.: these are all for the LAN, so we don't go through `sane.services.wan-ports`. networking.firewall.allowedUDPPorts = [ # https://jellyfin.org/docs/general/networking/index.html 1900 # UPnP service discovery diff --git a/hosts/by-name/servo/services/nginx.nix b/hosts/by-name/servo/services/nginx.nix index 9be5f3dc..6f9b9737 100644 --- a/hosts/by-name/servo/services/nginx.nix +++ b/hosts/by-name/servo/services/nginx.nix @@ -13,7 +13,7 @@ let in { - networking.firewall.allowedTCPPorts = [ 80 443 ]; + sane.services.wan-ports.tcp = [ 80 443 ]; services.nginx.enable = true; services.nginx.appendConfig = '' diff --git a/hosts/by-name/servo/services/prosody.nix b/hosts/by-name/servo/services/prosody.nix index 92771e86..00c78665 100644 --- a/hosts/by-name/servo/services/prosody.nix +++ b/hosts/by-name/servo/services/prosody.nix @@ -12,7 +12,7 @@ lib.mkIf false sane.persist.sys.plaintext = [ { user = "prosody"; group = "prosody"; directory = "/var/lib/prosody"; } ]; - networking.firewall.allowedTCPPorts = [ + sane.services.wan-ports.tcp = [ 5222 # XMPP client -> server 5269 # XMPP server -> server 5280 # bosh diff --git a/hosts/common/net.nix b/hosts/common/net.nix index 66b49da1..aa2f4fcb 100644 --- a/hosts/common/net.nix +++ b/hosts/common/net.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ lib, ... }: { # the default backend is "wpa_supplicant". diff --git a/hosts/modules/wg-home.nix b/hosts/modules/wg-home.nix index f4b27b4b..cca17f9a 100644 --- a/hosts/modules/wg-home.nix +++ b/hosts/modules/wg-home.nix @@ -33,6 +33,11 @@ in type = types.bool; default = false; }; + sane.services.wg-home.enableWan = mkOption { + type = types.bool; + default = false; + description = "whether to make this port visible on the WAN"; + }; sane.services.wg-home.ip = mkOption { type = types.str; }; @@ -51,6 +56,7 @@ in # for convenience, have both the server and client use the same port for their wireguard connections. networking.firewall.allowedUDPPorts = [ 51820 ]; + sane.services.wan-ports.udp = lib.mkIf cfg.enableWan [ 51820 ]; networking.wireguard.interfaces.wg-home = { listenPort = 51820; privateKeyFile = "/run/wg-home.priv"; diff --git a/modules/services/default.nix b/modules/services/default.nix index e5e7805e..aa9e175d 100644 --- a/modules/services/default.nix +++ b/modules/services/default.nix @@ -6,5 +6,6 @@ ./mautrix-signal.nix ./nixserve.nix ./trust-dns.nix + ./wan-ports.nix ]; } diff --git a/modules/services/trust-dns.nix b/modules/services/trust-dns.nix index 3919951d..531fc8f9 100644 --- a/modules/services/trust-dns.nix +++ b/modules/services/trust-dns.nix @@ -171,8 +171,8 @@ in config = mkIf cfg.enable { sane.services.trust-dns.generatedZones = mapAttrs (zone: zcfg: genZone zcfg) cfg.zones; - networking.firewall.allowedTCPPorts = [ 53 ]; - networking.firewall.allowedUDPPorts = [ 53 ]; + sane.services.wan-ports.tcp = [ 53 ]; + sane.services.wan-ports.udp = [ 53 ]; systemd.services.trust-dns = { description = "trust-dns DNS server"; diff --git a/modules/services/wan-ports.nix b/modules/services/wan-ports.nix new file mode 100644 index 00000000..6e4140cc --- /dev/null +++ b/modules/services/wan-ports.nix @@ -0,0 +1,35 @@ +{ config, lib, ... }: +let + cfg = config.sane.services.wan-ports; +in +{ + options = with lib; { + sane.services.wan-ports = { + openFirewall = mkOption { + default = false; + type = types.bool; + }; + + # TODO: openUpnp option + + # TODO: rework this to look like: + # ports.53 = { + # protocol = [ "udp" "tcp" ]; # have this be default + # visibility = "wan"; # or "lan" + # } + tcp = mkOption { + type = types.listOf types.int; + default = []; + }; + udp = mkOption { + type = types.listOf types.int; + default = []; + }; + }; + }; + + config = lib.mkIf cfg.openFirewall { + networking.firewall.allowedTCPPorts = cfg.tcp; + networking.firewall.allowedUDPPorts = cfg.udp; + }; +}