jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

modularized firewall logic

Browse Source
This commit is contained in:
Danilo Reyes 2025-09-27 17:44:01 -06:00
parent 3d3f49aeec
commit 99574c9b66
27 changed files with 31 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
config/base.nix
View File

@ -1,5 +1,4 @@
{ {
self,
lib, lib,
pkgs, pkgs,
inputs, inputs,

1
hosts/server/configuration.nix
View File

@ -1,7 +1,6 @@
{ {
pkgs, pkgs,
config, config,
lib,
... ...
}: }:
{ {

1
hosts/workstation/configuration.nix
View File

@ -1,6 +1,5 @@
{ {
pkgs, pkgs,
inputs,
... ...
}: }:
let let

24
modules/factories/server-factory.nix
View File

@ -1,24 +0,0 @@
{
lib,
config,
name,
subdomain,
port,
serviceConfig ? { },
nginxConfig ? null,
}:
let
cfg = config.my.servers.${name};
setup = import ./setup.nix { inherit lib config; };
in
{
options.my.servers.${name} = setup.mkOptions name subdomain port;
config = lib.mkIf cfg.enable {
services = serviceConfig // {
nginx.virtualHosts."${cfg.host}" = lib.mkIf cfg.enableProxy (
if nginxConfig != null then nginxConfig cfg else setup.proxyReverseFix cfg
);
};
};
}

31
modules/network/firewall.nix
View File

@ -1,4 +1,28 @@
{ lib, config, ... }: { lib, config, ... }:
let
nativeServicesWithOpenFirewall = [
"adguardhome"
"plex"
"sabnzbd"
"nix-serve"
"radarr"
"sonarr"
"jellyfin"
"prowlarr"
"bazarr"
"stash"
"ombi"
"flaresolverr"
];
servicesConfig = lib.listToAttrs (
map (serviceName: {
name = serviceName;
value.openFirewall = config.my.servers.${serviceName}.enable or false;
}) nativeServicesWithOpenFirewall
);
in
{ {
options.my.network.firewall = { options.my.network.firewall = {
enabledServicePorts = lib.mkEnableOption "auto-open ports for enabled services"; enabledServicePorts = lib.mkEnableOption "auto-open ports for enabled services";
@ -15,12 +39,17 @@
}; };
config = lib.mkIf config.my.network.firewall.enabledServicePorts { config = lib.mkIf config.my.network.firewall.enabledServicePorts {
services = servicesConfig;
networking.firewall.allowedTCPPorts = networking.firewall.allowedTCPPorts =
config.my.network.firewall.staticPorts config.my.network.firewall.staticPorts
++ config.my.network.firewall.additionalPorts ++ config.my.network.firewall.additionalPorts
++ ( ++ (
config.my.servers config.my.servers
|> lib.filterAttrs (_: srv: (srv.enable or false) && (srv ? port)) |> lib.filterAttrs (
name: srv:
(srv.enable or false) && (srv ? port) && !(builtins.elem name nativeServicesWithOpenFirewall)
)
|> lib.attrValues |> lib.attrValues
|> map (srv: srv.port) |> map (srv: srv.port)
) )

1
modules/servers/adguardhome.nix
View File

@ -5,7 +5,6 @@
services.adguardhome = { services.adguardhome = {
enable = true; enable = true;
mutableSettings = true; mutableSettings = true;
openFirewall = true;
}; };
}; };
} }

1
modules/servers/bazarr.nix
View File

@ -6,7 +6,6 @@ in
{ {
options.my.servers.bazarr = setup.mkOptions "bazarr" "subs" config.services.bazarr.listenPort; options.my.servers.bazarr = setup.mkOptions "bazarr" "subs" config.services.bazarr.listenPort;
config = { config = {
networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ];
services = { services = {
bazarr = lib.mkIf cfg.enable { bazarr = lib.mkIf cfg.enable {
enable = true; enable = true;

1
modules/servers/homepage.nix
View File

@ -6,7 +6,6 @@ in
{ {
options.my.servers.homepage = setup.mkOptions "homepage" "home" 8082; options.my.servers.homepage = setup.mkOptions "homepage" "home" 8082;
config = { config = {
networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ];
sops.secrets = lib.mkIf cfg.enable { sops.secrets = lib.mkIf cfg.enable {
homepage.sopsFile = ../../secrets/homepage.yaml; homepage.sopsFile = ../../secrets/homepage.yaml;
"private-ca/pem" = { "private-ca/pem" = {

1
modules/servers/jellyfin.nix
View File

@ -24,7 +24,6 @@ in
{ {
options.my.servers.jellyfin = setup.mkOptions "jellyfin" "flix" 8096; options.my.servers.jellyfin = setup.mkOptions "jellyfin" "flix" 8096;
config = { config = {
networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ];
environment = { environment = {
systemPackages = lib.mkIf cfg.enable ( systemPackages = lib.mkIf cfg.enable (
[ pkgs.jellyfin-ffmpeg ] ++ (lib.optional cfg.enableCron [ sub-sync-path ]) [ pkgs.jellyfin-ffmpeg ] ++ (lib.optional cfg.enableCron [ sub-sync-path ])

1
modules/servers/kavita.nix
View File

@ -6,7 +6,6 @@ in
{ {
options.my.servers.kavita = setup.mkOptions "kavita" "library" config.services.kavita.settings.Port; options.my.servers.kavita = setup.mkOptions "kavita" "library" config.services.kavita.settings.Port;
config = { config = {
networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ];
sops.secrets.kavita-token = lib.mkIf cfg.enable { sops.secrets.kavita-token = lib.mkIf cfg.enable {
owner = config.users.users.kavita.name; owner = config.users.users.kavita.name;
inherit (config.users.users.kavita) group; inherit (config.users.users.kavita) group;

1
modules/servers/lidarr.nix
View File

@ -6,7 +6,6 @@ in
{ {
options.my.servers.lidarr = setup.mkOptions "lidarr" "music" 8686; options.my.servers.lidarr = setup.mkOptions "lidarr" "music" 8686;
config = { config = {
networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ];
virtualisation.oci-containers.containers.lidarr = lib.mkIf cfg.enable { virtualisation.oci-containers.containers.lidarr = lib.mkIf cfg.enable {
autoStart = true; autoStart = true;
image = "linuxserver/lidarr:version-2.13.3.4711"; image = "linuxserver/lidarr:version-2.13.3.4711";

1
modules/servers/maloja.nix
View File

@ -6,7 +6,6 @@ in
{ {
options.my.servers.maloja = setup.mkOptions "maloja" "maloja" 42010; options.my.servers.maloja = setup.mkOptions "maloja" "maloja" 42010;
config = { config = {
networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ];
sops.secrets = lib.mkIf cfg.enable { maloja.sopsFile = ../../secrets/env.yaml; }; sops.secrets = lib.mkIf cfg.enable { maloja.sopsFile = ../../secrets/env.yaml; };
virtualisation.oci-containers.containers.maloja = lib.mkIf cfg.enable { virtualisation.oci-containers.containers.maloja = lib.mkIf cfg.enable {
image = "krateng/maloja:3.2.3"; image = "krateng/maloja:3.2.3";

1
modules/servers/mealie.nix
View File

@ -6,7 +6,6 @@ in
{ {
options.my.servers.mealie = setup.mkOptions "mealie" "mealie" 9925; options.my.servers.mealie = setup.mkOptions "mealie" "mealie" 9925;
config = { config = {
networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ];
sops.secrets = lib.mkIf cfg.enable { mealie.sopsFile = ../../secrets/env.yaml; }; sops.secrets = lib.mkIf cfg.enable { mealie.sopsFile = ../../secrets/env.yaml; };
services = { services = {
mealie = lib.mkIf cfg.enable { mealie = lib.mkIf cfg.enable {

1
modules/servers/metube.nix
View File

@ -6,7 +6,6 @@ in
{ {
options.my.servers.metube = setup.mkOptions "metube" "bajameesta" 8881; options.my.servers.metube = setup.mkOptions "metube" "bajameesta" 8881;
config = { config = {
networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ];
virtualisation.oci-containers.containers.metube = lib.mkIf cfg.enable { virtualisation.oci-containers.containers.metube = lib.mkIf cfg.enable {
image = "ghcr.io/alexta69/metube:2024-11-05"; image = "ghcr.io/alexta69/metube:2024-11-05";
ports = [ "${toString cfg.port}:8081" ]; ports = [ "${toString cfg.port}:8081" ];

1
modules/servers/microbin.nix
View File

@ -6,7 +6,6 @@ in
{ {
options.my.servers.microbin = setup.mkOptions "microbin" "copy" 8086; options.my.servers.microbin = setup.mkOptions "microbin" "copy" 8086;
config = lib.mkIf config.my.servers.microbin.enable { config = lib.mkIf config.my.servers.microbin.enable {
networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ];
services = { services = {
microbin = lib.mkIf cfg.enable { microbin = lib.mkIf cfg.enable {
enable = true; enable = true;

1
modules/servers/multi-scrobbler.nix
View File

@ -6,7 +6,6 @@ in
{ {
options.my.servers.multi-scrobbler = setup.mkOptions "multi-scrobbler" "scrobble" 9078; options.my.servers.multi-scrobbler = setup.mkOptions "multi-scrobbler" "scrobble" 9078;
config = { config = {
networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ];
sops.secrets = lib.mkIf cfg.enable { multi-scrobbler.sopsFile = ../../secrets/env.yaml; }; sops.secrets = lib.mkIf cfg.enable { multi-scrobbler.sopsFile = ../../secrets/env.yaml; };
virtualisation.oci-containers.containers.multi-scrobbler = lib.mkIf cfg.enable { virtualisation.oci-containers.containers.multi-scrobbler = lib.mkIf cfg.enable {
image = "foxxmd/multi-scrobbler:0.9.11"; image = "foxxmd/multi-scrobbler:0.9.11";

1
modules/servers/nix-serve.nix
View File

@ -15,7 +15,6 @@ in
services = { services = {
nix-serve = { nix-serve = {
enable = true; enable = true;
openFirewall = true;
package = pkgs.nix-serve-ng; package = pkgs.nix-serve-ng;
inherit (cfg) port; inherit (cfg) port;
secretKeyFile = config.sops.secrets."private_cache_keys/miniserver".path; secretKeyFile = config.sops.secrets."private_cache_keys/miniserver".path;

1
modules/servers/ombi.nix
View File

@ -9,7 +9,6 @@ in
ombi = lib.mkIf cfg.enable { ombi = lib.mkIf cfg.enable {
enable = true; enable = true;
inherit (cfg) port; inherit (cfg) port;
openFirewall = !cfg.isLocal;
}; };
nginx.virtualHosts."${cfg.host}" = lib.mkIf cfg.enableProxy (setup.proxyReverseFix cfg); nginx.virtualHosts."${cfg.host}" = lib.mkIf cfg.enableProxy (setup.proxyReverseFix cfg);
}; };

1
modules/servers/plex.nix
View File

@ -13,7 +13,6 @@ in
plex = lib.mkIf cfg.enable { plex = lib.mkIf cfg.enable {
enable = true; enable = true;
group = "piracy"; group = "piracy";
openFirewall = true;
}; };
nginx = lib.mkIf cfg.enableProxy { nginx = lib.mkIf cfg.enableProxy {
virtualHosts."${cfg.host}" = { virtualHosts."${cfg.host}" = {

7
modules/servers/prowlarr.nix
View File

@ -1,5 +1,4 @@
{ {
pkgs,
lib, lib,
config, config,
... ...
@ -11,17 +10,13 @@ in
{ {
options.my.servers.prowlarr = setup.mkOptions "prowlarr" "indexer" 9696; options.my.servers.prowlarr = setup.mkOptions "prowlarr" "indexer" 9696;
config = { config = {
networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ];
users.users.prowlarr = lib.mkIf cfg.enable { users.users.prowlarr = lib.mkIf cfg.enable {
group = "piracy"; group = "piracy";
isSystemUser = true; isSystemUser = true;
}; };
services = { services = {
prowlarr.enable = cfg.enable; prowlarr.enable = cfg.enable;
flaresolverr = { flaresolverr.enable = cfg.enable;
inherit (cfg) enable;
openFirewall = true;
};
nginx.virtualHosts."${cfg.host}" = lib.mkIf cfg.enableProxy (setup.proxyReverseFix cfg); nginx.virtualHosts."${cfg.host}" = lib.mkIf cfg.enableProxy (setup.proxyReverseFix cfg);
}; };
}; };

1
modules/servers/radarr.nix
View File

@ -6,7 +6,6 @@ in
{ {
options.my.servers.radarr = setup.mkOptions "radarr" "movies" 7878; options.my.servers.radarr = setup.mkOptions "radarr" "movies" 7878;
config = { config = {
networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ];
services = { services = {
radarr = lib.mkIf cfg.enable { radarr = lib.mkIf cfg.enable {
enable = true; enable = true;

2
modules/servers/sabnzbd.nix
View File

@ -9,11 +9,9 @@
}; };
}; };
config = lib.mkIf config.my.servers.sabnzbd.enable { config = lib.mkIf config.my.servers.sabnzbd.enable {
networking.firewall.allowedTCPPorts = [ config.my.servers.sabnzbd.port ];
services.sabnzbd = { services.sabnzbd = {
enable = true; enable = true;
group = "piracy"; group = "piracy";
openFirewall = true;
}; };
}; };
} }

1
modules/servers/shiori.nix
View File

@ -6,7 +6,6 @@ in
{ {
options.my.servers.shiori = setup.mkOptions "shiori" "bookmarks" 4368; options.my.servers.shiori = setup.mkOptions "shiori" "bookmarks" 4368;
config = lib.mkIf (config.my.servers.shiori.enable && config.my.servers.postgres.enable) { config = lib.mkIf (config.my.servers.shiori.enable && config.my.servers.postgres.enable) {
networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ];
sops.secrets = lib.mkIf cfg.enable { shiori.sopsFile = ../../secrets/env.yaml; }; sops.secrets = lib.mkIf cfg.enable { shiori.sopsFile = ../../secrets/env.yaml; };
services = { services = {
shiori = lib.mkIf cfg.enable { shiori = lib.mkIf cfg.enable {

1
modules/servers/sonarr.nix
View File

@ -9,7 +9,6 @@ in
sonarr = lib.mkIf cfg.enable { sonarr = lib.mkIf cfg.enable {
enable = true; enable = true;
group = "piracy"; group = "piracy";
openFirewall = !cfg.isLocal;
}; };
nginx.virtualHosts."${cfg.host}" = lib.mkIf cfg.enableProxy (setup.proxyReverseFix cfg); nginx.virtualHosts."${cfg.host}" = lib.mkIf cfg.enableProxy (setup.proxyReverseFix cfg);
}; };

1
modules/servers/stash.nix
View File

@ -15,7 +15,6 @@ in
stash = lib.mkIf cfg.enable { stash = lib.mkIf cfg.enable {
enable = true; enable = true;
group = "piracy"; group = "piracy";
openFirewall = !cfg.isLocal;
mutableSettings = true; mutableSettings = true;
username = "Suing8150"; username = "Suing8150";
passwordFile = config.sops.secrets."stash/password".path; passwordFile = config.sops.secrets."stash/password".path;

1
modules/servers/tranga.nix
View File

@ -6,7 +6,6 @@ in
{ {
options.my.servers.tranga = setup.mkOptions "tranga" "tranga" 9555; options.my.servers.tranga = setup.mkOptions "tranga" "tranga" 9555;
config = { config = {
networking.firewall.allowedTCPPorts = [ cfg.port ];
virtualisation.oci-containers.containers = lib.mkIf cfg.enable { virtualisation.oci-containers.containers = lib.mkIf cfg.enable {
tranga-api = { tranga-api = {
image = "glax/tranga-api:latest"; image = "glax/tranga-api:latest";

1
modules/servers/vaultwarden.nix
View File

@ -11,7 +11,6 @@ in
{ {
options.my.servers.vaultwarden = setup.mkOptions "vaultwarden" "vault" 8222; options.my.servers.vaultwarden = setup.mkOptions "vaultwarden" "vault" 8222;
config = lib.mkIf (cfg.enable && config.my.servers.postgres.enable) { config = lib.mkIf (cfg.enable && config.my.servers.postgres.enable) {
networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ];
sops.secrets = lib.mkIf cfg.enable { vaultwarden.sopsFile = ../../secrets/env.yaml; }; sops.secrets = lib.mkIf cfg.enable { vaultwarden.sopsFile = ../../secrets/env.yaml; };
services = { services = {
vaultwarden = lib.mkIf cfg.enable { vaultwarden = lib.mkIf cfg.enable {