]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/production/shorewall.nix
nix: add staging deployment
[sourcephile-nix.git] / servers / mermet / production / shorewall.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) hasAttr readFile;
4 inherit (pkgs.lib) unlinesAttrs;
5 inherit (config.services) shorewall shorewall6;
6 fw2net = ''
7 # By protocol
8 Ping(ACCEPT) $FW net
9
10 # By port
11 DNS(ACCEPT) $FW net
12 Git(ACCEPT) $FW net
13 HTTP(ACCEPT) $FW net
14 HTTPS(ACCEPT) $FW net
15 SMTP(ACCEPT) $FW net
16 SMTPS(ACCEPT) $FW net
17 SSH(ACCEPT) $FW net
18 '';
19 net2fw = ''
20 # By protocol
21 Ping(ACCEPT) net $FW
22
23 # By port
24 #HTTPS(ACCEPT) net $FW
25 DNS(ACCEPT) net $FW
26 IMAPS(ACCEPT) net $FW
27 Mosh(ACCEPT) net $FW
28 POP3S(ACCEPT) net $FW
29 SMTP(ACCEPT) net $FW
30 SMTPS(ACCEPT) net $FW
31 SSH(ACCEPT) net $FW
32 '';
33 fw2lan = ''
34 Ping(ACCEPT) $FW lan
35 DNS(ACCEPT) $FW lan
36 HTTPS(ACCEPT) $FW lan
37 '';
38 lan2fw = ''
39 Ping(ACCEPT) lan $FW
40 SSH(ACCEPT) lan $FW
41 HTTP(ACCEPT) lan $FW
42 HTTPS(ACCEPT) lan $FW
43 DNS(ACCEPT) lan $FW
44 '';
45 macros = {
46 "macro.Git" = ''
47 ?FORMAT 2
48 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
49 # PORT(S) PORT(S) LIMIT GROUP
50 PARAM - - tcp 9418
51 '';
52 "macro.Mosh" = ''
53 ?FORMAT 2
54 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
55 # PORT(S) PORT(S) LIMIT GROUP
56 PARAM - - udp 60000-61000
57 '';
58 };
59 in
60 {
61 services.shorewall = {
62 enable = true;
63 configs = macros // {
64 "shorewall.conf" = ''
65 ${readFile "${shorewall.package}/etc-example/shorewall/shorewall.conf"}
66 #
67 ## Custom config
68 ###
69 STARTUP_ENABLED=Yes
70 ZONE2ZONE=2
71 '';
72 zones = ''
73 # DOC: shorewall-zones(5)
74 fw firewall
75 net ipv4
76 lan ipv4
77 unused ipv4
78 '';
79 interfaces = ''
80 # DOC: shorewall-interfaces(5)
81 ?FORMAT 2
82 net enp1s0 arp_filter,nosmurfs,routefilter=1,tcpflags
83 lan enp2s0 arp_filter,nosmurfs,routefilter=1,tcpflags
84 unused enp3s0 arp_filter,nosmurfs,routefilter=1,tcpflags
85 '';
86 policy = ''
87 # DOC: shorewall-policy(5)
88 $FW all DROP
89 lan all DROP none
90 net all DROP none
91 unused all DROP none
92 # WARNING: the following policy must be last
93 all all REJECT none
94 '';
95 rules = ''
96 # DOC: shorewall-rules(5)
97 #SECTION ALL
98 #SECTION ESTABLISHED
99 #SECTION RELATED
100 ?SECTION NEW
101
102 ${fw2net}
103 ${net2fw}
104
105 ${fw2lan}
106 ${lan2fw}
107 '';
108 };
109 };
110 services.shorewall6 = {
111 enable = true;
112 configs = macros // {
113 "shorewall6.conf" = ''
114 ${readFile "${shorewall6.package}/etc-example/shorewall6/shorewall6.conf"}
115 #
116 ## Custom config
117 ###
118 STARTUP_ENABLED=Yes
119 ZONE2ZONE=2
120 '';
121 zones = ''
122 # DOC: shorewall-zones(5)
123 fw firewall
124 net ipv6
125 lan ipv6
126 unused ipv6
127 '';
128 interfaces = ''
129 # DOC: shorewall-interfaces(5)
130 ?FORMAT 2
131 net enp1s0 nosmurfs,tcpflags
132 lan enp2s0 nosmurfs,tcpflags
133 unused enp3s0 nosmurfs,tcpflags
134 '';
135 policy = ''
136 # DOC: shorewall-policy(5)
137 $FW all DROP
138 lan all DROP none
139 net all DROP none
140 unused all DROP none
141 # WARNING: the following policy must be last
142 all all REJECT none
143 '';
144 rules = ''
145 # DOC: shorewall-rules(5)
146 #SECTION ALL
147 #SECTION ESTABLISHED
148 #SECTION RELATED
149 ?SECTION NEW
150
151 ${fw2net}
152 ${net2fw}
153
154 ${fw2lan}
155 ${lan2fw}
156 '';
157 };
158 };
159 }