]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/production/shorewall.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
fix .envrc
[sourcephile-nix.git] / servers / mermet / production / shorewall.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) hasAttr readFile;
4 inherit (pkgs.lib) unlinesAttrs;
5 inherit (config) users;
6 inherit (config.services) shorewall shorewall6;
7 fw2net = ''
8 # By protocol
9 Ping(ACCEPT) $FW net
10
11 # By port
12 DNS(ACCEPT) $FW net {user=${users.users.unbound.name}}
13 Git(ACCEPT) $FW net
14 HKP(ACCEPT) $FW net {user=julm}
15 HTTP(ACCEPT) $FW net
16 HTTPS(ACCEPT) $FW net
17 SMTP(ACCEPT) $FW net
18 SMTPS(ACCEPT) $FW net
19 SSH(ACCEPT) $FW net
20 '';
21 net2fw = ''
22 # By protocol
23 Ping(ACCEPT) net $FW
24
25 # By port
26 DNS(ACCEPT) net $FW
27 HTTP(ACCEPT) net $FW
28 HTTPS(ACCEPT) net $FW
29 IMAPS(ACCEPT) net $FW
30 Mosh(ACCEPT) net $FW
31 POP3S(ACCEPT) net $FW
32 SMTP(ACCEPT) net $FW
33 SMTPS(ACCEPT) net $FW
34 SSH(ACCEPT) net $FW
35 Sieve(ACCEPT) net $FW
36 '';
37 fw2lan = ''
38 Ping(ACCEPT) $FW lan
39 DNS(ACCEPT) $FW lan
40 HTTPS(ACCEPT) $FW lan
41 '';
42 lan2fw = ''
43 Ping(ACCEPT) lan $FW
44 SSH(ACCEPT) lan $FW
45 HTTP(ACCEPT) lan $FW
46 HTTPS(ACCEPT) lan $FW
47 DNS(ACCEPT) lan $FW
48 '';
49 macros = {
50 "macro.Git" = ''
51 ?FORMAT 2
52 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
53 # PORT(S) PORT(S) LIMIT GROUP
54 PARAM - - tcp 9418
55 '';
56 "macro.Mosh" = ''
57 ?FORMAT 2
58 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
59 # PORT(S) PORT(S) LIMIT GROUP
60 PARAM - - udp 60000-61000
61 '';
62 };
63 in
64 {
65 services.shorewall = {
66 enable = true;
67 configs = macros // {
68 "shorewall.conf" = ''
69 ${readFile "${shorewall.package}/etc-example/shorewall/shorewall.conf"}
70 #
71 ## Custom config
72 ###
73 STARTUP_ENABLED=Yes
74 ZONE2ZONE=2
75 '';
76 zones = ''
77 # DOC: shorewall-zones(5)
78 fw firewall
79 net ipv4
80 lan ipv4
81 unused ipv4
82 '';
83 interfaces = ''
84 # DOC: shorewall-interfaces(5)
85 ?FORMAT 2
86 net enp1s0 arp_filter,nosmurfs,routefilter=1,tcpflags
87 lan enp2s0 arp_filter,nosmurfs,routefilter=1,tcpflags
88 unused enp3s0 arp_filter,nosmurfs,routefilter=1,tcpflags
89 '';
90 policy = ''
91 # DOC: shorewall-policy(5)
92 $FW all DROP
93 lan all DROP none
94 net all DROP none
95 unused all DROP none
96 # WARNING: the following policy must be last
97 all all REJECT none
98 '';
99 rules = ''
100 # DOC: shorewall-rules(5)
101 #SECTION ALL
102 #SECTION ESTABLISHED
103 #SECTION RELATED
104 ?SECTION NEW
105
106 ${fw2net}
107 ${net2fw}
108
109 ${fw2lan}
110 ${lan2fw}
111 '';
112 };
113 };
114 services.shorewall6 = {
115 enable = true;
116 configs = macros // {
117 "shorewall6.conf" = ''
118 ${readFile "${shorewall6.package}/etc-example/shorewall6/shorewall6.conf"}
119 #
120 ## Custom config
121 ###
122 STARTUP_ENABLED=Yes
123 ZONE2ZONE=2
124 '';
125 zones = ''
126 # DOC: shorewall-zones(5)
127 fw firewall
128 net ipv6
129 lan ipv6
130 unused ipv6
131 '';
132 interfaces = ''
133 # DOC: shorewall-interfaces(5)
134 ?FORMAT 2
135 net enp1s0 nosmurfs,tcpflags
136 lan enp2s0 nosmurfs,tcpflags
137 unused enp3s0 nosmurfs,tcpflags
138 '';
139 policy = ''
140 # DOC: shorewall-policy(5)
141 $FW all DROP
142 lan all DROP none
143 net all DROP none
144 unused all DROP none
145 # WARNING: the following policy must be last
146 all all REJECT none
147 '';
148 rules = ''
149 # DOC: shorewall-rules(5)
150 #SECTION ALL
151 #SECTION ESTABLISHED
152 #SECTION RELATED
153 ?SECTION NEW
154
155 ${fw2net}
156 ${net2fw}
157
158 ${fw2lan}
159 ${lan2fw}
160 '';
161 };
162 };
163 }
NixOS configurations for Sourcephile's infrastructure