]> Git — Sourcephile - sourcephile-nix.git/blob - install/logical/friot/shorewall.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
update
[sourcephile-nix.git] / install / logical / friot / shorewall.nix
1 {pkgs, lib, config, ...}:
2 let inherit (builtins) hasAttr;
3 inherit (config.services) shorewall shorewall6;
4 unlines = lib.concatStringsSep "\n";
5 zones4 = config.networking.zones;
6 zones6 = config.networking.zones;
7 "macro.Git" = ''
8 ?FORMAT 2
9 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
10 # PORT(S) PORT(S) LIMIT GROUP
11 PARAM - - tcp 9418
12 '';
13 in
14 {
15 config = {
16 services.shorewall = {
17 enable = true;
18 configs = {
19 "shorewall.conf" = ''
20 ${builtins.readFile "${shorewall.package}/etc/shorewall/shorewall.conf"}
21 #
22 ## Custom config
23 ###
24 STARTUP_ENABLED=Yes
25 ZONE2ZONE=2
26 '';
27 zones = ''
28 # DOC: shorewall-zones(5)
29 fw firewall
30 '' + unlines (lib.mapAttrsToList (zone: _: "${zone} ipv4") zones4);
31 interfaces = ''
32 # DOC: shorewall-interfaces(5)
33 ?FORMAT 2
34 '' + unlines (lib.mapAttrsToList (zone: {iface, ...}:
35 "${zone} ${iface} arp_filter,nosmurfs,routefilter,tcpflags") zones4);
36 policy = ''
37 # DOC: shorewall-policy(5)
38 $FW all DROP
39 '' + unlines (lib.mapAttrsToList (zone: _:
40 "${zone} all DROP none") zones4)
41 + ''
42 # XXX: the following policy must be last
43 all all REJECT none
44 '';
45 rules = ''
46 # DOC: shorewall-rules(5)
47 #SECTION ALL
48 #SECTION ESTABLISHED
49 #SECTION RELATED
50 ?SECTION NEW
51 ''
52 + lib.optionalString (hasAttr "lan" zones4) ''
53 # ----------
54 # $FW -> lan
55 # ----------
56 ACCEPT $FW lan:${zones4.lan.ipv4}/24
57
58 # ----------
59 # lan -> $FW
60 # ----------
61 ACCEPT lan:${zones4.lan.ipv4}/24 $FW
62 ''
63 + lib.optionalString (hasAttr "net" zones4) ''
64 # ----------
65 # $FW -> net
66 # ----------
67
68 # By protocol
69 Ping(ACCEPT) $FW net
70
71 # By port
72 DNS(ACCEPT) $FW net
73 Git(ACCEPT) $FW net
74 HTTP(ACCEPT) $FW net
75 HTTPS(ACCEPT) $FW net
76 SMTP(ACCEPT) $FW net
77 SMTPS(ACCEPT) $FW net
78 SSH(ACCEPT) $FW net
79
80 # ----------
81 # net -> $FW
82 # ----------
83
84 # By protocol
85 Ping(ACCEPT) net $FW
86
87 # By port
88 #HTTPS(ACCEPT) net $FW
89 DNS(ACCEPT) net $FW
90 IMAPS(ACCEPT) net $FW
91 POP3S(ACCEPT) net $FW
92 SMTP(ACCEPT) net $FW
93 SMTPS(ACCEPT) net $FW
94 '';
95 inherit "macro.Git";
96 };
97 };
98 services.shorewall6 = {
99 enable = true;
100 configs = {
101 "shorewall6.conf" = ''
102 ${builtins.readFile "${shorewall6.package}/etc/shorewall6/shorewall6.conf"}
103 #
104 ## Custom config
105 ###
106 STARTUP_ENABLED=Yes
107 ZONE2ZONE=2
108 '';
109 zones = ''
110 # DOC: shorewall-zones(5)
111 fw firewall
112 '' + unlines (lib.mapAttrsToList (zone: _: "${zone} ipv6") zones6);
113 interfaces = ''
114 # DOC: shorewall-interfaces(5)
115 ?FORMAT 2
116 '' + unlines (lib.mapAttrsToList (zone: {iface, ...}:
117 "${zone} ${iface} nosmurfs,tcpflags") zones6);
118 policy = ''
119 # DOC: shorewall-policy(5)
120 $FW all DROP
121 '' + unlines (lib.mapAttrsToList (zone: _:
122 "${zone} all DROP none") zones6)
123 + ''
124 # XXX: the following policy must be last
125 all all REJECT none
126 '';
127 rules = ''
128 # DOC: shorewall-rules(5)
129 #SECTION ALL
130 #SECTION ESTABLISHED
131 #SECTION RELATED
132 ?SECTION NEW
133 ''
134 + lib.optionalString (hasAttr "lan" zones6) ''
135 # ----------
136 # $FW -> lan
137 # ----------
138 Ping(ACCEPT) $FW lan:fe80::/10
139
140 # ----------
141 # lan -> $FW
142 # ----------
143 Ping(ACCEPT) lan:fe80::/10 $FW
144 SSH(ACCEPT) lan:fe80::/10 $FW
145 Git(ACCEPT) lan:fe80::/10 $FW
146 '';
147 inherit "macro.Git";
148 };
149 };
150 };
151 }
NixOS configurations for Sourcephile's infrastructure