ports: hide behind services.sane.wan-ports
later i will use this to enable UPnP on relevant ports
This commit is contained in:
parent
aae118b476
commit
c1ddddddc0
|
@ -20,6 +20,7 @@
|
|||
sane.zsh.showDeadlines = false; # ~/knowledge doesn't always exist
|
||||
sane.services.dyn-dns.enable = true;
|
||||
sane.services.wg-home.enable = true;
|
||||
sane.services.wg-home.enableWan = true;
|
||||
sane.services.wg-home.ip = config.sane.hosts.by-name."servo".wg-home.ip;
|
||||
# sane.services.duplicity.enable = true; # TODO: re-enable after HW upgrade
|
||||
|
||||
|
|
|
@ -3,6 +3,8 @@
|
|||
{
|
||||
networking.domain = "uninsane.org";
|
||||
|
||||
sane.services.wan-ports.openFirewall = true;
|
||||
|
||||
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
|
||||
# Per-interface useDHCP will be mandatory in the future, so this generated config
|
||||
# replicates the default behaviour.
|
||||
|
|
|
@ -22,7 +22,7 @@
|
|||
sane.persist.sys.plaintext = [
|
||||
{ user = "ejabberd"; group = "ejabberd"; directory = "/var/lib/ejabberd"; }
|
||||
];
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
sane.services.wan-ports.tcp = [
|
||||
3478 # STUN/TURN
|
||||
5222 # XMPP client -> server
|
||||
5223 # XMPPS client -> server (XMPP over TLS)
|
||||
|
@ -33,9 +33,10 @@
|
|||
5349 # STUN/TURN (TLS)
|
||||
5443 # web services (file uploads, websockets, admin)
|
||||
];
|
||||
networking.firewall.allowedUDPPorts = [
|
||||
sane.services.wan-ports.udp = [
|
||||
3478 # STUN/TURN
|
||||
];
|
||||
# TODO: forward these TURN ports!
|
||||
networking.firewall.allowedTCPPortRanges = [{
|
||||
from = 49152; # TURN
|
||||
to = 49408;
|
||||
|
|
|
@ -6,7 +6,7 @@
|
|||
|
||||
{ config, lib, pkgs, ... }:
|
||||
{
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
sane.services.wan-ports.tcp = [
|
||||
# exposed over non-vpn imap.uninsane.org
|
||||
143 # IMAP
|
||||
993 # IMAPS
|
||||
|
|
|
@ -28,7 +28,7 @@ in
|
|||
# "/var/lib/dovecot"
|
||||
];
|
||||
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
sane.services.wan-ports.tcp = [
|
||||
# exposed over vpn mx.uninsane.org
|
||||
25 # SMTP
|
||||
465 # SMTPS
|
||||
|
|
|
@ -18,6 +18,7 @@
|
|||
{
|
||||
# identical to:
|
||||
# services.jellyfin.openFirewall = true;
|
||||
# N.B.: these are all for the LAN, so we don't go through `sane.services.wan-ports`.
|
||||
networking.firewall.allowedUDPPorts = [
|
||||
# https://jellyfin.org/docs/general/networking/index.html
|
||||
1900 # UPnP service discovery
|
||||
|
|
|
@ -13,7 +13,7 @@ let
|
|||
in
|
||||
{
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
sane.services.wan-ports.tcp = [ 80 443 ];
|
||||
|
||||
services.nginx.enable = true;
|
||||
services.nginx.appendConfig = ''
|
||||
|
|
|
@ -12,7 +12,7 @@ lib.mkIf false
|
|||
sane.persist.sys.plaintext = [
|
||||
{ user = "prosody"; group = "prosody"; directory = "/var/lib/prosody"; }
|
||||
];
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
sane.services.wan-ports.tcp = [
|
||||
5222 # XMPP client -> server
|
||||
5269 # XMPP server -> server
|
||||
5280 # bosh
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
{ lib, ... }:
|
||||
|
||||
{
|
||||
# the default backend is "wpa_supplicant".
|
||||
|
|
|
@ -33,6 +33,11 @@ in
|
|||
type = types.bool;
|
||||
default = false;
|
||||
};
|
||||
sane.services.wg-home.enableWan = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "whether to make this port visible on the WAN";
|
||||
};
|
||||
sane.services.wg-home.ip = mkOption {
|
||||
type = types.str;
|
||||
};
|
||||
|
@ -51,6 +56,7 @@ in
|
|||
|
||||
# for convenience, have both the server and client use the same port for their wireguard connections.
|
||||
networking.firewall.allowedUDPPorts = [ 51820 ];
|
||||
sane.services.wan-ports.udp = lib.mkIf cfg.enableWan [ 51820 ];
|
||||
networking.wireguard.interfaces.wg-home = {
|
||||
listenPort = 51820;
|
||||
privateKeyFile = "/run/wg-home.priv";
|
||||
|
|
|
@ -6,5 +6,6 @@
|
|||
./mautrix-signal.nix
|
||||
./nixserve.nix
|
||||
./trust-dns.nix
|
||||
./wan-ports.nix
|
||||
];
|
||||
}
|
||||
|
|
|
@ -171,8 +171,8 @@ in
|
|||
|
||||
config = mkIf cfg.enable {
|
||||
sane.services.trust-dns.generatedZones = mapAttrs (zone: zcfg: genZone zcfg) cfg.zones;
|
||||
networking.firewall.allowedTCPPorts = [ 53 ];
|
||||
networking.firewall.allowedUDPPorts = [ 53 ];
|
||||
sane.services.wan-ports.tcp = [ 53 ];
|
||||
sane.services.wan-ports.udp = [ 53 ];
|
||||
|
||||
systemd.services.trust-dns = {
|
||||
description = "trust-dns DNS server";
|
||||
|
|
35
modules/services/wan-ports.nix
Normal file
35
modules/services/wan-ports.nix
Normal file
|
@ -0,0 +1,35 @@
|
|||
{ config, lib, ... }:
|
||||
let
|
||||
cfg = config.sane.services.wan-ports;
|
||||
in
|
||||
{
|
||||
options = with lib; {
|
||||
sane.services.wan-ports = {
|
||||
openFirewall = mkOption {
|
||||
default = false;
|
||||
type = types.bool;
|
||||
};
|
||||
|
||||
# TODO: openUpnp option
|
||||
|
||||
# TODO: rework this to look like:
|
||||
# ports.53 = {
|
||||
# protocol = [ "udp" "tcp" ]; # have this be default
|
||||
# visibility = "wan"; # or "lan"
|
||||
# }
|
||||
tcp = mkOption {
|
||||
type = types.listOf types.int;
|
||||
default = [];
|
||||
};
|
||||
udp = mkOption {
|
||||
type = types.listOf types.int;
|
||||
default = [];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.openFirewall {
|
||||
networking.firewall.allowedTCPPorts = cfg.tcp;
|
||||
networking.firewall.allowedUDPPorts = cfg.udp;
|
||||
};
|
||||
}
|
Loading…
Reference in New Issue
Block a user