Fix nftables based firewall

2023-01-14 04:05:21 +01:00 · 2023-01-14 04:05:21 +01:00 · 37fbf0808e
parent d59e0ed14b
commit 37fbf0808e
5 changed files with 41 additions and 67 deletions
--- a/nixos/machines/hera/cloud.nix
+++ b/nixos/machines/hera/cloud.nix
@ -104,16 +104,12 @@ with lib; let
          address = hosts.hera-intern-v4;
          interface = "eth0";
        };
-        firewall.allowedTCPPorts = [80 443];
+        firewall.allowedTCPPorts = [80 443 9100 9113];
      };

      systemd.services = nextcloudServices hostname;
      services = {
        nextcloud = nextcloudConf hostname;
-        prometheus.exporters = {
-          node.openFirewall = true;
-          nginx.openFirewall = true;
-        };
        nginx.appendHttpConfig = "access_log off;";
        redis.servers."".enable = true;

@ -132,7 +128,7 @@ in {
    services =
      {
        rss-server = {
-          serviceConfig.ExecStart = "${pkgs.python3}/bin/python -m http.server 8842 -d /var/www/rss";
+          serviceConfig.ExecStart = "${pkgs.python3}/bin/python -m http.server --bind ${hosts.vpn.hera} 8842 -d /var/www/rss";
          wantedBy = ["multi-user.target"];
        };
      }
--- a/nixos/machines/hera/network.nix
+++ b/nixos/machines/hera/network.nix
@ -35,15 +35,6 @@ in {
      interface = "ens18";
    };

-    #firewall = {
-    #  extraCommands = ''
-    #    ip6tables -A INPUT -i m0wire -j ACCEPT
-    #    ip6tables -A FORWARD -p ipv6-icmp -j ACCEPT
-    #    ip6tables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-    #    ip6tables -A FORWARD ! -i m0wire -j nixos-fw-log-refuse
-    #  '';
-    #};
-
    bridges.bridge.interfaces = [];
    interfaces.bridge = {
      proxyARP = true;
--- a/nixos/roles/default.nix
+++ b/nixos/roles/default.nix
@ -3,8 +3,29 @@
  config,
  lib,
  ...
-}: {
+}: let
+  inherit (import ../../nix/sources.nix) nixos-unstable;
+  networkingModule = name: "${nixos-unstable}/nixos/modules/services/networking/${name}.nix";
+in {
+  # nftables using module not available in 22.11.
+  disabledModules = [
+    "services/networking/firewall.nix"
+    "services/networking/nftables.nix"
+    "services/networking/nat.nix"
+    "services/networking/redsocks.nix"
+    "services/networking/miniupnpd.nix"
+    "services/audio/roon-server.nix"
+    "services/audio/roon-bridge.nix"
+  ];
+
  imports = [
+    (networkingModule "firewall-iptables")
+    (networkingModule "firewall-nftables")
+    (networkingModule "firewall")
+    (networkingModule "nat-iptables")
+    (networkingModule "nat-nftables")
+    (networkingModule "nat")
+    (networkingModule "nftables")
    ../../common
    ./admin.nix
  ];
@ -23,7 +44,12 @@

  networking = {
    resolvconf.dnsExtensionMechanism = false; # this breaks dnssec but is necessary for certain bad-behaved hotspots
-    firewall.allowPing = true;
+    firewall = {
+      enable = true; # It’s the default, but better make sure.
+      allowPing = true;
+      extraInputRules = "meta iifname m0wire accept comment \"My VPN\"";
+    };
+    nftables.enable = true; # Uses firewall variables since 23.05
    useDHCP = false; # enabled per interface
    hosts =
      lib.zipAttrs
@ -171,17 +197,16 @@
  services = {
    logind.killUserProcesses = false;
    journald.extraConfig = "SystemMaxUse=5G";
-    #prometheus.exporters = {
-    #  node = {
-    #    enable = false;
-    #    enabledCollectors = ["systemd" "logind"];
-    #    disabledCollectors = ["timex"];
-    #  };
-    #  nginx = {
-    #    inherit (config.services.nginx) enable;
-    #    # openFirewall = true;
-    #  };
-    #};
+    prometheus.exporters = {
+      node = {
+        enable = true;
+        enabledCollectors = ["systemd" "logind"];
+        disabledCollectors = ["timex"];
+      };
+      nginx = {
+        inherit (config.services.nginx) enable;
+      };
+    };
    nginx = {
      statusPage = true;
      recommendedOptimisation = true;
--- a/nixos/roles/monitoring/prometheus.nix
+++ b/nixos/roles/monitoring/prometheus.nix
@ -8,12 +8,6 @@
    prometheus = {
      enable = true;
      extraFlags = ["--query.lookback-delta=180m" "--storage.tsdb.retention.time=720d"];
-      exporters = {
-        blackbox = {
-          enable = true;
-          configFile = ./blackbox_rules.yml;
-        };
-      };
      ruleFiles = [./rules.yml];
      scrapeConfigs = let
        alert_type = "infrastructure";
--- a/nixos/roles/standalone/default.nix
+++ b/nixos/roles/standalone/default.nix
@ -2,39 +2,7 @@
  pkgs,
  config,
  ...
-}: let
-  inherit (import ../../../nix/sources.nix) nixos-unstable;
-  networkingModule = name: "${nixos-unstable}/nixos/modules/services/networking/${name}.nix";
-in {
-  # nftables using module not available in 22.11.
-  disabledModules = [
-    "services/networking/firewall.nix"
-    "services/networking/nftables.nix"
-    "services/networking/nat.nix"
-    "services/networking/redsocks.nix"
-    "services/networking/miniupnpd.nix"
-    "services/monitoring/prometheus/exporters.nix"
-    "services/audio/roon-server.nix"
-    "services/audio/roon-bridge.nix"
-  ];
-
-  imports = [
-    (networkingModule "firewall-iptables")
-    (networkingModule "firewall-nftables")
-    (networkingModule "firewall")
-    (networkingModule "nat-iptables")
-    (networkingModule "nat-nftables")
-    (networkingModule "nat")
-    (networkingModule "nftables")
-  ];
-
-  networking = {
-    firewall = {
-      enable = true; # It’s the default, but better make sure.
-    };
-    nftables.enable = true; # Uses firewall variables since 23.05
-  };
-
+}: {
  boot = {
    plymouth.enable = true;
    loader = {