]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/production/shorewall.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
acme: generate Let's Encrypt wildcard X.509 certificate
[sourcephile-nix.git] / servers / mermet / production / shorewall.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) hasAttr readFile;
4 inherit (pkgs.lib) unlinesAttrs;
5 inherit (config) users;
6 inherit (config.services) shorewall shorewall6;
7 fw2net = ''
8 # By protocol
9 Ping(ACCEPT) $FW net
10
11 # By port
12 DNS(ACCEPT) $FW net {user=${users.users.unbound.name}}
13 DNS(ACCEPT) $FW net:217.70.177.40 # for knot to notify ns6.gandi.net
14 Git(ACCEPT) $FW net
15 HKP(ACCEPT) $FW net {user=${users.users.julm.name}}
16 HTTP(ACCEPT) $FW net
17 HTTPS(ACCEPT) $FW net
18 SMTP(ACCEPT) $FW net
19 SMTPS(ACCEPT) $FW net
20 SSH(ACCEPT) $FW net
21 '';
22 net2fw = ''
23 # By protocol
24 Ping(ACCEPT) net $FW
25
26 # By port
27 DNS(ACCEPT) net $FW
28 HTTP(ACCEPT) net $FW
29 HTTPS(ACCEPT) net $FW
30 IMAPS(ACCEPT) net $FW
31 Mosh(ACCEPT) net $FW
32 POP3S(ACCEPT) net $FW
33 SMTP(ACCEPT) net $FW
34 SMTPS(ACCEPT) net $FW
35 SSH(ACCEPT) net $FW
36 Sieve(ACCEPT) net $FW
37 '';
38 fw2lan = ''
39 Ping(ACCEPT) $FW lan
40 DNS(ACCEPT) $FW lan
41 HTTPS(ACCEPT) $FW lan
42 '';
43 lan2fw = ''
44 Ping(ACCEPT) lan $FW
45 SSH(ACCEPT) lan $FW
46 HTTP(ACCEPT) lan $FW
47 HTTPS(ACCEPT) lan $FW
48 DNS(ACCEPT) lan $FW
49 '';
50 macros = {
51 "macro.Git" = ''
52 ?FORMAT 2
53 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
54 # PORT(S) PORT(S) LIMIT GROUP
55 PARAM - - tcp 9418
56 '';
57 "macro.Mosh" = ''
58 ?FORMAT 2
59 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
60 # PORT(S) PORT(S) LIMIT GROUP
61 PARAM - - udp 60000-61000
62 '';
63 };
64 in
65 {
66 services.shorewall = {
67 enable = true;
68 configs = macros // {
69 "shorewall.conf" = ''
70 ${readFile "${shorewall.package}/etc-example/shorewall/shorewall.conf"}
71 #
72 ## Custom config
73 ###
74 STARTUP_ENABLED=Yes
75 ZONE2ZONE=2
76 '';
77 zones = ''
78 # DOC: shorewall-zones(5)
79 fw firewall
80 net ipv4
81 lan ipv4
82 unused ipv4
83 '';
84 interfaces = ''
85 # DOC: shorewall-interfaces(5)
86 ?FORMAT 2
87 net enp1s0 arp_filter,nosmurfs,routefilter=1,tcpflags
88 lan enp2s0 arp_filter,nosmurfs,routefilter=1,tcpflags
89 unused enp3s0 arp_filter,nosmurfs,routefilter=1,tcpflags
90 '';
91 policy = ''
92 # DOC: shorewall-policy(5)
93 $FW all DROP
94 lan all DROP none
95 net all DROP none
96 unused all DROP none
97 # WARNING: the following policy must be last
98 all all REJECT none
99 '';
100 rules = ''
101 # DOC: shorewall-rules(5)
102 #SECTION ALL
103 #SECTION ESTABLISHED
104 #SECTION RELATED
105 ?SECTION NEW
106
107 ${fw2net}
108 ${net2fw}
109
110 ${fw2lan}
111 ${lan2fw}
112 '';
113 };
114 };
115 services.shorewall6 = {
116 enable = true;
117 configs = macros // {
118 "shorewall6.conf" = ''
119 ${readFile "${shorewall6.package}/etc-example/shorewall6/shorewall6.conf"}
120 #
121 ## Custom config
122 ###
123 STARTUP_ENABLED=Yes
124 ZONE2ZONE=2
125 '';
126 zones = ''
127 # DOC: shorewall-zones(5)
128 fw firewall
129 net ipv6
130 lan ipv6
131 unused ipv6
132 '';
133 interfaces = ''
134 # DOC: shorewall-interfaces(5)
135 ?FORMAT 2
136 net enp1s0 nosmurfs,tcpflags
137 lan enp2s0 nosmurfs,tcpflags
138 unused enp3s0 nosmurfs,tcpflags
139 '';
140 policy = ''
141 # DOC: shorewall-policy(5)
142 $FW all DROP
143 lan all DROP none
144 net all DROP none
145 unused all DROP none
146 # WARNING: the following policy must be last
147 all all REJECT none
148 '';
149 rules = ''
150 # DOC: shorewall-rules(5)
151 #SECTION ALL
152 #SECTION ESTABLISHED
153 #SECTION RELATED
154 ?SECTION NEW
155
156 ${fw2net}
157 ${net2fw}
158
159 ${fw2lan}
160 ${lan2fw}
161 '';
162 };
163 };
164 }
NixOS configurations for Sourcephile's infrastructure