machines/losurdo/networking/upnpc.nix

   1 { pkgs, lib, config, machines, ... }:
   2 let
   3   inherit (lib) types;
   4   inherit (config) networking;
   5   inherit (config.security) gnupg;
   6   inherit (config.users) users groups;
   7   inherit (config.networking) domain;
   8   inherit (config.services) upnpc;
   9 in
  10 {
  11 options.services.upnpc = {
  12   redirections = lib.mkOption {
  13     default = [];
  14     type = types.listOf (types.submodule ({config, ...}: {
  15       options = {
  16         port = lib.mkOption {
  17           type = types.port;
  18         };
  19         externalPort = lib.mkOption {
  20           type = types.port;
  21           default = config.port;
  22         };
  23         protocol = lib.mkOption {
  24           type = with types; enum ["TCP" "UDP"];
  25           default = "TCP";
  26         };
  27         duration = lib.mkOption {
  28           type = types.int;
  29           default = 0;
  30         };
  31       };
  32     }));
  33   };
  34 };
  35 config = {
  36 systemd.services.upnpc = {
  37   after = [ "network-online.target" ];
  38   wantedBy = [ "multi-user.target" ];
  39   startAt = "*:0/15";
  40   serviceConfig = {
  41     Type = "simple";
  42     # Note that one may need to upnpc -d $externalPort $port
  43     # if $externalPort is already mapped
  44     ExecStart = "${pkgs.miniupnpc}/bin/upnpc -r" + lib.concatMapStrings
  45       (r: " ${toString r.port} ${toString r.externalPort} ${r.protocol}")
  46       upnpc.redirections;
  47     Restart = "on-failure";
  48     RestartSec = "5s";
  49     DynamicUser = true;
  50     User = users."upnpc".name;
  51   };
  52 };
  53 users.users."upnpc".isSystemUser = true;
  54 networking.nftables.ruleset = ''
  55   #add set filter ssdp_out {type inet_service \; timeout 5s \;}
  56   # Create a rule for accepting any SSDP packets going to a remembered port.
  57   add rule inet filter net2fw udp dport @ssdp_out \
  58     counter accept comment "SSDP answer"
  59   add rule inet filter fw2net \
  60     skuid {${users.upnpc.name},${users.nsupdate.name}} \
  61     tcp dport 1900 \
  62     counter accept \
  63     comment "SSDP automatic opening"
  64   add rule inet filter fw2net \
  65     skuid {${users.upnpc.name},${users.nsupdate.name}} \
  66     ip daddr 239.255.255.250 udp dport 1900 \
  67     set add udp sport @ssdp_out \
  68     comment "SSDP automatic opening"
  69   add rule inet filter fw2net \
  70     skuid {${users.upnpc.name},${users.nsupdate.name}} \
  71     ip daddr 239.255.255.250 udp dport 1900 \
  72     counter accept comment "SSDP"
  73   '' + lib.optionalString networking.enableIPv6 ''
  74   add rule inet filter fw2net \
  75     skuid {${users.upnpc.name},${users.nsupdate.name}} \
  76     ip6 daddr {FF02::C, FF05::C, FF08::C, FF0E::C} udp dport 1900 \
  77     set add udp sport @ssdp_out comment "SSDP automatic opening"
  78   add rule inet filter fw2net \
  79     skuid {${users.upnpc.name},${users.nsupdate.name}} \
  80     ip6 daddr {FF02::C, FF05::C, FF08::C, FF0E::C} udp dport 1900 \
  81     counter accept comment "SSDP"
  82   '';
  83 };
  84 }