diff --git a/config/jawz.nix b/config/jawz.nix index cecc749..abff911 100644 --- a/config/jawz.nix +++ b/config/jawz.nix @@ -3,7 +3,9 @@ let inherit (config.networking) hostName; nixosHosts = lib.attrNames config.my.ips - |> lib.filter (name: !(lib.hasPrefix "wg-" name) && name != "vps" && name != "router" && name != hostName); + |> lib.filter ( + name: !(lib.hasPrefix "wg-" name) && name != "vps" && name != "router" && name != hostName + ); nixosHostsMatch = lib.concatStringsSep " " nixosHosts; in { diff --git a/flake.nix b/flake.nix index 7cbd8bf..43c2f44 100644 --- a/flake.nix +++ b/flake.nix @@ -99,7 +99,7 @@ workstation = createConfig "workstation" inputs.nixpkgs; miniserver = createConfig "miniserver" inputs.nixpkgs-small; server = createConfig "server" inputs.nixpkgs-small; - + }; packages.${system} = (jawz-scripts.packages.${system} or { }); devShells.${system} = builtins.listToAttrs ( diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix index e3cdd1b..ee28bf3 100644 --- a/hosts/server/configuration.nix +++ b/hosts/server/configuration.nix @@ -17,6 +17,14 @@ ../../secrets/ssh/ed25519_nixworkstation.pub ../../secrets/ssh/ed25519_nixminiserver.pub ]; + network.firewall.enabledServicePorts = true; + network.firewall.additionalPorts = [ + 2049 # idk + 8384 # syncthing gui + 22000 # syncthing relay + 3452 # sonarqube + 8448 # synapse ssl + ]; }; nix.buildMachines = [ { @@ -29,45 +37,28 @@ } ]; sops.secrets."vps/home/private".sopsFile = ../../secrets/wireguard.yaml; - networking = - let - enabledPorts = - config.my.servers - |> lib.filterAttrs (_: srv: (srv.enable or false) && (srv ? port)) - |> lib.attrValues - |> map (srv: srv.port); - ports = enabledPorts ++ [ - 2049 # idk - 8384 # syncthing gui - 22000 # syncthing relay - 3452 # sonarqube - 8448 # synapse ssl - config.services.gitea.settings.server.SSH_PORT - ]; - in - { - hostName = "server"; - firewall = { - allowedTCPPorts = ports; - allowedUDPPorts = ports; - interfaces.wg0.allowedTCPPorts = [ 8081 ]; - }; - wireguard.interfaces.wg0 = { - ips = [ "${config.my.ips.wg-server}/32" ]; - privateKeyFile = config.sops.secrets."vps/home/private".path; - peers = [ - { - publicKey = "dFbiSekBwnZomarcS31o5+w6imHjMPNCipkfc2fZ3GY="; - endpoint = "${config.my.ips.vps}:51820"; - allowedIPs = [ - "${config.my.ips.wg-vps}/32" - "${config.my.ips.wg-friends}/24" # all friends - ]; - persistentKeepalive = 25; - } - ]; - }; + networking = { + hostName = "server"; + firewall = { + allowedUDPPorts = config.networking.firewall.allowedTCPPorts; + interfaces.wg0.allowedTCPPorts = [ 8081 ]; }; + wireguard.interfaces.wg0 = { + ips = [ "${config.my.ips.wg-server}/32" ]; + privateKeyFile = config.sops.secrets."vps/home/private".path; + peers = [ + { + publicKey = "dFbiSekBwnZomarcS31o5+w6imHjMPNCipkfc2fZ3GY="; + endpoint = "${config.my.ips.vps}:51820"; + allowedIPs = [ + "${config.my.ips.wg-vps}/32" + "${config.my.ips.wg-friends}/24" # all friends + ]; + persistentKeepalive = 25; + } + ]; + }; + }; users.users.jawz.packages = builtins.attrValues { inherit (pkgs) podman-compose; }; diff --git a/modules/factories/server-factory.nix b/modules/factories/server-factory.nix new file mode 100644 index 0000000..557f23d --- /dev/null +++ b/modules/factories/server-factory.nix @@ -0,0 +1,24 @@ +{ + lib, + config, + name, + subdomain, + port, + serviceConfig ? { }, + nginxConfig ? null, +}: +let + cfg = config.my.servers.${name}; + setup = import ./setup.nix { inherit lib config; }; +in +{ + options.my.servers.${name} = setup.mkOptions name subdomain port; + + config = lib.mkIf cfg.enable { + services = serviceConfig // { + nginx.virtualHosts."${cfg.host}" = lib.mkIf cfg.enableProxy ( + if nginxConfig != null then nginxConfig cfg else setup.proxyReverseFix cfg + ); + }; + }; +} diff --git a/modules/modules.nix b/modules/modules.nix index 090bc01..ada6071 100644 --- a/modules/modules.nix +++ b/modules/modules.nix @@ -15,7 +15,12 @@ let config.my.servers.drpp.enable config.my.servers.plex-discord-bot.enable ]; - filterNames = file: file != "base.nix" && file != "setup.nix" && file != "librewolf.nix"; + filterNames = + file: + file != "base.nix" + && file != "setup.nix" + && file != "librewolf.nix" + && file != "server-factory.nix"; autoImport = dir: builtins.readDir ./${dir} @@ -34,6 +39,7 @@ in ++ [ ./nix/build.nix ./users/nixremote.nix + ./network/firewall.nix ]; options.my = { localhost = lib.mkOption { diff --git a/modules/network/firewall.nix b/modules/network/firewall.nix new file mode 100644 index 0000000..d7b86a8 --- /dev/null +++ b/modules/network/firewall.nix @@ -0,0 +1,32 @@ +{ lib, config, ... }: +{ + options.my.network.firewall = { + enabledServicePorts = lib.mkEnableOption "auto-open ports for enabled services"; + staticPorts = lib.mkOption { + type = lib.types.listOf lib.types.int; + default = [ ]; + description = "Static ports to always open"; + }; + additionalPorts = lib.mkOption { + type = lib.types.listOf lib.types.int; + default = [ ]; + description = "Additional ports to open (like syncthing, gitea, etc.)"; + }; + }; + + config = lib.mkIf config.my.network.firewall.enabledServicePorts { + networking.firewall.allowedTCPPorts = + config.my.network.firewall.staticPorts + ++ config.my.network.firewall.additionalPorts + ++ ( + config.my.servers + |> lib.filterAttrs (_: srv: (srv.enable or false) && (srv ? port)) + |> lib.attrValues + |> map (srv: srv.port) + ) + ++ (lib.optionals config.services.nginx.enable [ + 80 + 443 + ]); + }; +} diff --git a/modules/nix/build.nix b/modules/nix/build.nix index a3b94e0..4dc6481 100644 --- a/modules/nix/build.nix +++ b/modules/nix/build.nix @@ -14,19 +14,19 @@ ]; description = "List of supported nix build features for this system"; }; - + buildMachines = lib.mkOption { type = lib.types.listOf lib.types.attrs; - default = []; + default = [ ]; description = "List of remote build machines configuration"; }; - + cores = lib.mkOption { type = lib.types.nullOr lib.types.int; default = null; description = "Number of cores to use for builds (null = auto-detect)"; }; - + maxJobs = lib.mkOption { type = lib.types.nullOr lib.types.int; default = null; @@ -46,8 +46,7 @@ max-jobs = config.my.nix.maxJobs; }) ]; - - nix.buildMachines = lib.mkIf (config.my.nix.buildMachines != []) - config.my.nix.buildMachines; + + nix.buildMachines = lib.mkIf (config.my.nix.buildMachines != [ ]) config.my.nix.buildMachines; }; -} \ No newline at end of file +} diff --git a/modules/users/nixremote.nix b/modules/users/nixremote.nix index 3355e0d..6aeb020 100644 --- a/modules/users/nixremote.nix +++ b/modules/users/nixremote.nix @@ -2,7 +2,7 @@ { options.my.users.nixremote = { enable = lib.mkEnableOption "nixremote user for distributed builds"; - + authorizedKeys = lib.mkOption { type = lib.types.listOf lib.types.path; default = [ @@ -12,13 +12,13 @@ ]; description = "List of SSH public key files to authorize for nixremote user"; }; - + gid = lib.mkOption { type = lib.types.int; default = 555; description = "Group ID for the nixremote group"; }; - + home = lib.mkOption { type = lib.types.str; default = "/var/nixremote/"; @@ -38,4 +38,4 @@ }; }; }; -} \ No newline at end of file +}