jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

wip: server-factory + firewall refractor

Browse Source
This commit is contained in:
Danilo Reyes 2025-09-27 17:00:13 -06:00
parent 4b81028cde
commit 3d3f49aeec
8 changed files with 107 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
config/jawz.nix
View File

@ -3,7 +3,9 @@ let
inherit (config.networking) hostName;
nixosHosts =
lib.attrNames config.my.ips
|> lib.filter (name: !(lib.hasPrefix "wg-" name) && name != "vps" && name != "router" && name != hostName);
|> lib.filter (
name: !(lib.hasPrefix "wg-" name) && name != "vps" && name != "router" && name != hostName
);
nixosHostsMatch = lib.concatStringsSep " " nixosHosts;
in
{

29
hosts/server/configuration.nix
View File

@ -17,6 +17,14 @@
../../secrets/ssh/ed25519_nixworkstation.pub
../../secrets/ssh/ed25519_nixminiserver.pub
];
network.firewall.enabledServicePorts = true;
network.firewall.additionalPorts = [
2049 # idk
8384 # syncthing gui
22000 # syncthing relay
3452 # sonarqube
8448 # synapse ssl
];
};
nix.buildMachines = [
{
@ -29,27 +37,10 @@
}
];
sops.secrets."vps/home/private".sopsFile = ../../secrets/wireguard.yaml;
networking =
let
enabledPorts =
config.my.servers
|> lib.filterAttrs (_: srv: (srv.enable or false) && (srv ? port))
|> lib.attrValues
|> map (srv: srv.port);
ports = enabledPorts ++ [
2049 # idk
8384 # syncthing gui
22000 # syncthing relay
3452 # sonarqube
8448 # synapse ssl
config.services.gitea.settings.server.SSH_PORT
];
in
{
networking = {
hostName = "server";
firewall = {
allowedTCPPorts = ports;
allowedUDPPorts = ports;
allowedUDPPorts = config.networking.firewall.allowedTCPPorts;
interfaces.wg0.allowedTCPPorts = [ 8081 ];
};
wireguard.interfaces.wg0 = {

24
modules/factories/server-factory.nix Normal file
View File

@ -0,0 +1,24 @@
{
lib,
config,
name,
subdomain,
port,
serviceConfig ? { },
nginxConfig ? null,
}:
let
cfg = config.my.servers.${name};
setup = import ./setup.nix { inherit lib config; };
in
{
options.my.servers.${name} = setup.mkOptions name subdomain port;
config = lib.mkIf cfg.enable {
services = serviceConfig // {
nginx.virtualHosts."${cfg.host}" = lib.mkIf cfg.enableProxy (
if nginxConfig != null then nginxConfig cfg else setup.proxyReverseFix cfg
);
};
};
}

8
modules/modules.nix
View File

@ -15,7 +15,12 @@ let
config.my.servers.drpp.enable
config.my.servers.plex-discord-bot.enable
];
filterNames = file: file != "base.nix" && file != "setup.nix" && file != "librewolf.nix";
filterNames =
file:
file != "base.nix"
&& file != "setup.nix"
&& file != "librewolf.nix"
&& file != "server-factory.nix";
autoImport =
dir:
builtins.readDir ./${dir}
@ -34,6 +39,7 @@ in
++ [
./nix/build.nix
./users/nixremote.nix
./network/firewall.nix
];
options.my = {
localhost = lib.mkOption {

32
modules/network/firewall.nix Normal file
View File

@ -0,0 +1,32 @@
{ lib, config, ... }:
{
options.my.network.firewall = {
enabledServicePorts = lib.mkEnableOption "auto-open ports for enabled services";
staticPorts = lib.mkOption {
type = lib.types.listOf lib.types.int;
default = [ ];
description = "Static ports to always open";
};
additionalPorts = lib.mkOption {
type = lib.types.listOf lib.types.int;
default = [ ];
description = "Additional ports to open (like syncthing, gitea, etc.)";
};
};
config = lib.mkIf config.my.network.firewall.enabledServicePorts {
networking.firewall.allowedTCPPorts =
config.my.network.firewall.staticPorts
++ config.my.network.firewall.additionalPorts
++ (
config.my.servers
|> lib.filterAttrs (_: srv: (srv.enable or false) && (srv ? port))
|> lib.attrValues
|> map (srv: srv.port)
)
++ (lib.optionals config.services.nginx.enable [
80
443
]);
};
}

3
modules/nix/build.nix
View File

@ -47,7 +47,6 @@
})
];
nix.buildMachines = lib.mkIf (config.my.nix.buildMachines != [])
config.my.nix.buildMachines;
nix.buildMachines = lib.mkIf (config.my.nix.buildMachines != [ ]) config.my.nix.buildMachines;
};
}