ports: hide behind services.sane.wan-ports

later i will use this to enable UPnP on relevant ports
2023-05-26 23:28:30 +00:00 · 2023-05-26 23:28:30 +00:00 · c1ddddddc0
commit c1ddddddc0
parent aae118b476
13 changed files with 56 additions and 9 deletions
--- a/hosts/by-name/servo/default.nix
+++ b/hosts/by-name/servo/default.nix
@ -20,6 +20,7 @@
  sane.zsh.showDeadlines = false;  # ~/knowledge doesn't always exist
  sane.services.dyn-dns.enable = true;
  sane.services.wg-home.enable = true;
  sane.services.wg-home.enableWan = true;
  sane.services.wg-home.ip = config.sane.hosts.by-name."servo".wg-home.ip;
  # sane.services.duplicity.enable = true;  # TODO: re-enable after HW upgrade
--- a/hosts/by-name/servo/net.nix
+++ b/hosts/by-name/servo/net.nix
@ -3,6 +3,8 @@
 {
  networking.domain = "uninsane.org";
  sane.services.wan-ports.openFirewall = true;
  # The global useDHCP flag is deprecated, therefore explicitly set to false here.
  # Per-interface useDHCP will be mandatory in the future, so this generated config
  # replicates the default behaviour.
--- a/hosts/by-name/servo/services/ejabberd.nix
+++ b/hosts/by-name/servo/services/ejabberd.nix
@ -22,7 +22,7 @@
  sane.persist.sys.plaintext = [
    { user = "ejabberd"; group = "ejabberd"; directory = "/var/lib/ejabberd"; }
  ];
-  networking.firewall.allowedTCPPorts = [
+  sane.services.wan-ports.tcp = [
    3478  # STUN/TURN
    5222  # XMPP  client -> server
    5223  # XMPPS client -> server (XMPP over TLS)
@ -33,9 +33,10 @@
    5349  # STUN/TURN (TLS)
    5443  # web services (file uploads, websockets, admin)
  ];
-  networking.firewall.allowedUDPPorts = [
+  sane.services.wan-ports.udp = [
    3478  # STUN/TURN
  ];
  # TODO: forward these TURN ports!
  networking.firewall.allowedTCPPortRanges = [{
    from = 49152;  # TURN
    to = 49408;
--- a/hosts/by-name/servo/services/email/dovecot.nix
+++ b/hosts/by-name/servo/services/email/dovecot.nix
@ -6,7 +6,7 @@
 { config, lib, pkgs, ... }:
 {
-  networking.firewall.allowedTCPPorts = [
+  sane.services.wan-ports.tcp = [
    # exposed over non-vpn imap.uninsane.org
    143  # IMAP
    993  # IMAPS
--- a/hosts/by-name/servo/services/email/postfix.nix
+++ b/hosts/by-name/servo/services/email/postfix.nix
@ -28,7 +28,7 @@ in
    # "/var/lib/dovecot"
  ];
-  networking.firewall.allowedTCPPorts = [
+  sane.services.wan-ports.tcp = [
    # exposed over vpn mx.uninsane.org
    25   # SMTP
    465  # SMTPS
--- a/hosts/by-name/servo/services/jellyfin.nix
+++ b/hosts/by-name/servo/services/jellyfin.nix
@ -18,6 +18,7 @@
 {
  # identical to:
  # services.jellyfin.openFirewall = true;
  # N.B.: these are all for the LAN, so we don't go through `sane.services.wan-ports`.
  networking.firewall.allowedUDPPorts = [
    # https://jellyfin.org/docs/general/networking/index.html
    1900  # UPnP service discovery
--- a/hosts/by-name/servo/services/nginx.nix
+++ b/hosts/by-name/servo/services/nginx.nix
@ -13,7 +13,7 @@ let
 in
 {
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  sane.services.wan-ports.tcp = [ 80 443 ];
  services.nginx.enable = true;
  services.nginx.appendConfig = ''
--- a/hosts/by-name/servo/services/prosody.nix
+++ b/hosts/by-name/servo/services/prosody.nix
@ -12,7 +12,7 @@ lib.mkIf false
  sane.persist.sys.plaintext = [
    { user = "prosody"; group = "prosody"; directory = "/var/lib/prosody"; }
  ];
-  networking.firewall.allowedTCPPorts = [
+  sane.services.wan-ports.tcp = [
    5222  # XMPP client -> server
    5269  # XMPP server -> server
    5280  # bosh
--- a/hosts/common/net.nix
+++ b/hosts/common/net.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ lib, ... }:
 {
  # the default backend is "wpa_supplicant".
--- a/hosts/modules/wg-home.nix
+++ b/hosts/modules/wg-home.nix
@ -33,6 +33,11 @@ in
      type = types.bool;
      default = false;
    };
    sane.services.wg-home.enableWan = mkOption {
      type = types.bool;
      default = false;
      description = "whether to make this port visible on the WAN";
    };
    sane.services.wg-home.ip = mkOption {
      type = types.str;
    };
@ -51,6 +56,7 @@ in
    # for convenience, have both the server and client use the same port for their wireguard connections.
    networking.firewall.allowedUDPPorts = [ 51820 ];
    sane.services.wan-ports.udp = lib.mkIf cfg.enableWan [ 51820 ];
    networking.wireguard.interfaces.wg-home = {
      listenPort = 51820;
      privateKeyFile = "/run/wg-home.priv";
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@ -6,5 +6,6 @@
    ./mautrix-signal.nix
    ./nixserve.nix
    ./trust-dns.nix
    ./wan-ports.nix
  ];
 }
--- a/modules/services/trust-dns.nix
+++ b/modules/services/trust-dns.nix
@ -171,8 +171,8 @@ in
  config = mkIf cfg.enable {
    sane.services.trust-dns.generatedZones = mapAttrs (zone: zcfg: genZone zcfg) cfg.zones;
-    networking.firewall.allowedTCPPorts = [ 53 ];
+    sane.services.wan-ports.tcp = [ 53 ];
-    networking.firewall.allowedUDPPorts = [ 53 ];
+    sane.services.wan-ports.udp = [ 53 ];
    systemd.services.trust-dns = {
      description = "trust-dns DNS server";
--- a/modules/services/wan-ports.nix
+++ b/modules/services/wan-ports.nix
@ -0,0 +1,35 @@
 { config, lib, ... }:
 let
  cfg = config.sane.services.wan-ports;
 in
 {
  options = with lib; {
    sane.services.wan-ports = {
      openFirewall = mkOption {
        default = false;
        type = types.bool;
      };
      # TODO: openUpnp option
      # TODO: rework this to look like:
      # ports.53 = {
      #   protocol = [ "udp" "tcp" ];  # have this be default
      #   visibility = "wan";  # or "lan"
      # }
      tcp = mkOption {
        type = types.listOf types.int;
        default = [];
      };
      udp = mkOption {
        type = types.listOf types.int;
        default = [];
      };
    };
  };
  config = lib.mkIf cfg.openFirewall {
    networking.firewall.allowedTCPPorts = cfg.tcp;
    networking.firewall.allowedUDPPorts = cfg.udp;
  };
 }