ports: hide behind services.sane.wan-ports
later i will use this to enable UPnP on relevant ports
This commit is contained in:
parent
aae118b476
commit
c1ddddddc0
|
@ -20,6 +20,7 @@
|
||||||
sane.zsh.showDeadlines = false; # ~/knowledge doesn't always exist
|
sane.zsh.showDeadlines = false; # ~/knowledge doesn't always exist
|
||||||
sane.services.dyn-dns.enable = true;
|
sane.services.dyn-dns.enable = true;
|
||||||
sane.services.wg-home.enable = true;
|
sane.services.wg-home.enable = true;
|
||||||
|
sane.services.wg-home.enableWan = true;
|
||||||
sane.services.wg-home.ip = config.sane.hosts.by-name."servo".wg-home.ip;
|
sane.services.wg-home.ip = config.sane.hosts.by-name."servo".wg-home.ip;
|
||||||
# sane.services.duplicity.enable = true; # TODO: re-enable after HW upgrade
|
# sane.services.duplicity.enable = true; # TODO: re-enable after HW upgrade
|
||||||
|
|
||||||
|
|
|
@ -3,6 +3,8 @@
|
||||||
{
|
{
|
||||||
networking.domain = "uninsane.org";
|
networking.domain = "uninsane.org";
|
||||||
|
|
||||||
|
sane.services.wan-ports.openFirewall = true;
|
||||||
|
|
||||||
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
|
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
|
||||||
# Per-interface useDHCP will be mandatory in the future, so this generated config
|
# Per-interface useDHCP will be mandatory in the future, so this generated config
|
||||||
# replicates the default behaviour.
|
# replicates the default behaviour.
|
||||||
|
|
|
@ -22,7 +22,7 @@
|
||||||
sane.persist.sys.plaintext = [
|
sane.persist.sys.plaintext = [
|
||||||
{ user = "ejabberd"; group = "ejabberd"; directory = "/var/lib/ejabberd"; }
|
{ user = "ejabberd"; group = "ejabberd"; directory = "/var/lib/ejabberd"; }
|
||||||
];
|
];
|
||||||
networking.firewall.allowedTCPPorts = [
|
sane.services.wan-ports.tcp = [
|
||||||
3478 # STUN/TURN
|
3478 # STUN/TURN
|
||||||
5222 # XMPP client -> server
|
5222 # XMPP client -> server
|
||||||
5223 # XMPPS client -> server (XMPP over TLS)
|
5223 # XMPPS client -> server (XMPP over TLS)
|
||||||
|
@ -33,9 +33,10 @@
|
||||||
5349 # STUN/TURN (TLS)
|
5349 # STUN/TURN (TLS)
|
||||||
5443 # web services (file uploads, websockets, admin)
|
5443 # web services (file uploads, websockets, admin)
|
||||||
];
|
];
|
||||||
networking.firewall.allowedUDPPorts = [
|
sane.services.wan-ports.udp = [
|
||||||
3478 # STUN/TURN
|
3478 # STUN/TURN
|
||||||
];
|
];
|
||||||
|
# TODO: forward these TURN ports!
|
||||||
networking.firewall.allowedTCPPortRanges = [{
|
networking.firewall.allowedTCPPortRanges = [{
|
||||||
from = 49152; # TURN
|
from = 49152; # TURN
|
||||||
to = 49408;
|
to = 49408;
|
||||||
|
|
|
@ -6,7 +6,7 @@
|
||||||
|
|
||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
{
|
{
|
||||||
networking.firewall.allowedTCPPorts = [
|
sane.services.wan-ports.tcp = [
|
||||||
# exposed over non-vpn imap.uninsane.org
|
# exposed over non-vpn imap.uninsane.org
|
||||||
143 # IMAP
|
143 # IMAP
|
||||||
993 # IMAPS
|
993 # IMAPS
|
||||||
|
|
|
@ -28,7 +28,7 @@ in
|
||||||
# "/var/lib/dovecot"
|
# "/var/lib/dovecot"
|
||||||
];
|
];
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [
|
sane.services.wan-ports.tcp = [
|
||||||
# exposed over vpn mx.uninsane.org
|
# exposed over vpn mx.uninsane.org
|
||||||
25 # SMTP
|
25 # SMTP
|
||||||
465 # SMTPS
|
465 # SMTPS
|
||||||
|
|
|
@ -18,6 +18,7 @@
|
||||||
{
|
{
|
||||||
# identical to:
|
# identical to:
|
||||||
# services.jellyfin.openFirewall = true;
|
# services.jellyfin.openFirewall = true;
|
||||||
|
# N.B.: these are all for the LAN, so we don't go through `sane.services.wan-ports`.
|
||||||
networking.firewall.allowedUDPPorts = [
|
networking.firewall.allowedUDPPorts = [
|
||||||
# https://jellyfin.org/docs/general/networking/index.html
|
# https://jellyfin.org/docs/general/networking/index.html
|
||||||
1900 # UPnP service discovery
|
1900 # UPnP service discovery
|
||||||
|
|
|
@ -13,7 +13,7 @@ let
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
sane.services.wan-ports.tcp = [ 80 443 ];
|
||||||
|
|
||||||
services.nginx.enable = true;
|
services.nginx.enable = true;
|
||||||
services.nginx.appendConfig = ''
|
services.nginx.appendConfig = ''
|
||||||
|
|
|
@ -12,7 +12,7 @@ lib.mkIf false
|
||||||
sane.persist.sys.plaintext = [
|
sane.persist.sys.plaintext = [
|
||||||
{ user = "prosody"; group = "prosody"; directory = "/var/lib/prosody"; }
|
{ user = "prosody"; group = "prosody"; directory = "/var/lib/prosody"; }
|
||||||
];
|
];
|
||||||
networking.firewall.allowedTCPPorts = [
|
sane.services.wan-ports.tcp = [
|
||||||
5222 # XMPP client -> server
|
5222 # XMPP client -> server
|
||||||
5269 # XMPP server -> server
|
5269 # XMPP server -> server
|
||||||
5280 # bosh
|
5280 # bosh
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{ config, lib, pkgs, ... }:
|
{ lib, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
# the default backend is "wpa_supplicant".
|
# the default backend is "wpa_supplicant".
|
||||||
|
|
|
@ -33,6 +33,11 @@ in
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
default = false;
|
default = false;
|
||||||
};
|
};
|
||||||
|
sane.services.wg-home.enableWan = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description = "whether to make this port visible on the WAN";
|
||||||
|
};
|
||||||
sane.services.wg-home.ip = mkOption {
|
sane.services.wg-home.ip = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
};
|
};
|
||||||
|
@ -51,6 +56,7 @@ in
|
||||||
|
|
||||||
# for convenience, have both the server and client use the same port for their wireguard connections.
|
# for convenience, have both the server and client use the same port for their wireguard connections.
|
||||||
networking.firewall.allowedUDPPorts = [ 51820 ];
|
networking.firewall.allowedUDPPorts = [ 51820 ];
|
||||||
|
sane.services.wan-ports.udp = lib.mkIf cfg.enableWan [ 51820 ];
|
||||||
networking.wireguard.interfaces.wg-home = {
|
networking.wireguard.interfaces.wg-home = {
|
||||||
listenPort = 51820;
|
listenPort = 51820;
|
||||||
privateKeyFile = "/run/wg-home.priv";
|
privateKeyFile = "/run/wg-home.priv";
|
||||||
|
|
|
@ -6,5 +6,6 @@
|
||||||
./mautrix-signal.nix
|
./mautrix-signal.nix
|
||||||
./nixserve.nix
|
./nixserve.nix
|
||||||
./trust-dns.nix
|
./trust-dns.nix
|
||||||
|
./wan-ports.nix
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
|
@ -171,8 +171,8 @@ in
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
sane.services.trust-dns.generatedZones = mapAttrs (zone: zcfg: genZone zcfg) cfg.zones;
|
sane.services.trust-dns.generatedZones = mapAttrs (zone: zcfg: genZone zcfg) cfg.zones;
|
||||||
networking.firewall.allowedTCPPorts = [ 53 ];
|
sane.services.wan-ports.tcp = [ 53 ];
|
||||||
networking.firewall.allowedUDPPorts = [ 53 ];
|
sane.services.wan-ports.udp = [ 53 ];
|
||||||
|
|
||||||
systemd.services.trust-dns = {
|
systemd.services.trust-dns = {
|
||||||
description = "trust-dns DNS server";
|
description = "trust-dns DNS server";
|
||||||
|
|
35
modules/services/wan-ports.nix
Normal file
35
modules/services/wan-ports.nix
Normal file
|
@ -0,0 +1,35 @@
|
||||||
|
{ config, lib, ... }:
|
||||||
|
let
|
||||||
|
cfg = config.sane.services.wan-ports;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options = with lib; {
|
||||||
|
sane.services.wan-ports = {
|
||||||
|
openFirewall = mkOption {
|
||||||
|
default = false;
|
||||||
|
type = types.bool;
|
||||||
|
};
|
||||||
|
|
||||||
|
# TODO: openUpnp option
|
||||||
|
|
||||||
|
# TODO: rework this to look like:
|
||||||
|
# ports.53 = {
|
||||||
|
# protocol = [ "udp" "tcp" ]; # have this be default
|
||||||
|
# visibility = "wan"; # or "lan"
|
||||||
|
# }
|
||||||
|
tcp = mkOption {
|
||||||
|
type = types.listOf types.int;
|
||||||
|
default = [];
|
||||||
|
};
|
||||||
|
udp = mkOption {
|
||||||
|
type = types.listOf types.int;
|
||||||
|
default = [];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = lib.mkIf cfg.openFirewall {
|
||||||
|
networking.firewall.allowedTCPPorts = cfg.tcp;
|
||||||
|
networking.firewall.allowedUDPPorts = cfg.udp;
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user