]> Git — Sourcephile - sourcephile-nix.git/blob - machines/losurdo/networking/upnpc.nix
nix: factorize security.gnupg.store
[sourcephile-nix.git] / machines / losurdo / networking / upnpc.nix
1 { pkgs, lib, config, machines, ... }:
2 let
3 inherit (lib) types;
4 inherit (config) networking;
5 inherit (config.security) gnupg;
6 inherit (config.users) users groups;
7 inherit (config.networking) domain;
8 inherit (config.services) upnpc;
9 in
10 {
11 options.services.upnpc = {
12 redirections = lib.mkOption {
13 default = [];
14 type = types.listOf (types.submodule ({config, ...}: {
15 options = {
16 port = lib.mkOption {
17 type = types.port;
18 };
19 externalPort = lib.mkOption {
20 type = types.port;
21 default = config.port;
22 };
23 protocol = lib.mkOption {
24 type = with types; enum ["TCP" "UDP"];
25 default = "TCP";
26 };
27 duration = lib.mkOption {
28 type = types.int;
29 default = 0;
30 };
31 };
32 }));
33 };
34 };
35 config = {
36 systemd.services.upnpc = {
37 after = [ "network-online.target" ];
38 wantedBy = [ "multi-user.target" ];
39 startAt = "*:0/15";
40 serviceConfig = {
41 Type = "simple";
42 # Note that one may need to upnpc -d $externalPort $port
43 # if $externalPort is already mapped
44 ExecStart = "${pkgs.miniupnpc}/bin/upnpc -r" + lib.concatMapStrings
45 (r: " ${toString r.port} ${toString r.externalPort} ${r.protocol}")
46 upnpc.redirections;
47 Restart = "on-failure";
48 RestartSec = "5s";
49 DynamicUser = true;
50 User = users."upnpc".name;
51 };
52 };
53 users.users."upnpc".isSystemUser = true;
54 networking.nftables.ruleset = ''
55 #add set filter ssdp_out {type inet_service \; timeout 5s \;}
56 # Create a rule for accepting any SSDP packets going to a remembered port.
57 add rule inet filter net2fw udp dport @ssdp_out \
58 counter accept comment "SSDP answer"
59 add rule inet filter fw2net \
60 skuid {${users.upnpc.name},${users.nsupdate.name}} \
61 tcp dport 1900 \
62 counter accept \
63 comment "SSDP automatic opening"
64 add rule inet filter fw2net \
65 skuid {${users.upnpc.name},${users.nsupdate.name}} \
66 ip daddr 239.255.255.250 udp dport 1900 \
67 set add udp sport @ssdp_out \
68 comment "SSDP automatic opening"
69 add rule inet filter fw2net \
70 skuid {${users.upnpc.name},${users.nsupdate.name}} \
71 ip daddr 239.255.255.250 udp dport 1900 \
72 counter accept comment "SSDP"
73 '' + lib.optionalString networking.enableIPv6 ''
74 add rule inet filter fw2net \
75 skuid {${users.upnpc.name},${users.nsupdate.name}} \
76 ip6 daddr {FF02::C, FF05::C, FF08::C, FF0E::C} udp dport 1900 \
77 set add udp sport @ssdp_out comment "SSDP automatic opening"
78 add rule inet filter fw2net \
79 skuid {${users.upnpc.name},${users.nsupdate.name}} \
80 ip6 daddr {FF02::C, FF05::C, FF08::C, FF0E::C} udp dport 1900 \
81 counter accept comment "SSDP"
82 '';
83 };
84 }