doc: install/logical/machines.list

[sourcephile-nix.git] / install / logical / friot / shorewall.nix

{pkgs, lib, config, ...}:
let inherit (builtins) hasAttr readFile;
    inherit (pkgs.lib) unlinesAttrs;
    inherit (config.services) shorewall shorewall6;
    zones4 = config.networking.zones;
    zones6 = config.networking.zones;
    "macro.Git" = ''
      ?FORMAT 2
      #ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
      #                               PORT(S) PORT(S) LIMIT   GROUP
      PARAM   -       -       tcp     9418
      '';
in
{
config = {
  services.shorewall = {
    enable  = true;
    configs = {
      "shorewall.conf" = ''
        ${readFile "${shorewall.package}/etc/shorewall/shorewall.conf"}
        #
        ## Custom config
        ###
        STARTUP_ENABLED=Yes
        ZONE2ZONE=2
        '';
      zones = ''
        # DOC: shorewall-zones(5)
        fw firewall
        '' + unlinesAttrs (zone: _: "${zone} ipv4") zones4;
      interfaces = ''
        # DOC: shorewall-interfaces(5)
        ?FORMAT 2
        '' + unlinesAttrs (zone: {iface, ...}:
          "${zone} ${iface} arp_filter,nosmurfs,routefilter,tcpflags") zones4;
      policy = ''
        # DOC: shorewall-policy(5)
        $FW all DROP
        '' + unlinesAttrs (zone: _: "${zone} all DROP none") zones4
        + ''
        # XXX: the following policy must be last
        all all REJECT none
        '';
      rules = ''
        # DOC: shorewall-rules(5)
        #SECTION ALL
        #SECTION ESTABLISHED
        #SECTION RELATED
        ?SECTION NEW
        ''
        + lib.optionalString (hasAttr "lan" zones4) ''
        # ----------
        # $FW -> lan
        # ----------
        ACCEPT $FW lan:${zones4.lan.ipv4}/24

        # ----------
        # lan -> $FW
        # ----------
        ACCEPT lan:${zones4.lan.ipv4}/24 $FW
        ''
        + lib.optionalString (hasAttr "net" zones4) ''
        # ----------
        # $FW -> net
        # ----------

        # By protocol
        Ping(ACCEPT) $FW net

        # By port
        DNS(ACCEPT)   $FW net
        Git(ACCEPT)   $FW net
        HTTP(ACCEPT)  $FW net
        HTTPS(ACCEPT) $FW net
        SMTP(ACCEPT)  $FW net
        SMTPS(ACCEPT) $FW net
        SSH(ACCEPT)   $FW net

        # ----------
        # net -> $FW
        # ----------

        # By protocol
        Ping(ACCEPT)  net $FW

        # By port
        #HTTPS(ACCEPT) net $FW
        DNS(ACCEPT)    net $FW
        IMAPS(ACCEPT)  net $FW
        POP3S(ACCEPT)  net $FW
        SMTP(ACCEPT)   net $FW
        SMTPS(ACCEPT)  net $FW
        '';
      inherit "macro.Git";
    };
  };
  services.shorewall6 = {
    enable  = true;
    configs = {
      "shorewall6.conf" = ''
        ${readFile "${shorewall6.package}/etc/shorewall6/shorewall6.conf"}
        #
        ## Custom config
        ###
        STARTUP_ENABLED=Yes
        ZONE2ZONE=2
        '';
      zones = ''
        # DOC: shorewall-zones(5)
        fw firewall
        '' + unlinesAttrs (zone: _: "${zone} ipv6") zones6;
      interfaces = ''
        # DOC: shorewall-interfaces(5)
        ?FORMAT 2
        '' + unlinesAttrs (zone: {iface, ...}: "${zone} ${iface} nosmurfs,tcpflags") zones6;
      policy = ''
        # DOC: shorewall-policy(5)
        $FW all DROP
        '' + unlinesAttrs (zone: _: "${zone} all DROP none") zones6
        + ''
        # XXX: the following policy must be last
        all all REJECT none
        '';
      rules = ''
        # DOC: shorewall-rules(5)
        #SECTION ALL
        #SECTION ESTABLISHED
        #SECTION RELATED
        ?SECTION NEW
        ''
        + lib.optionalString (hasAttr "lan" zones6) ''
        # ----------
        # $FW -> lan
        # ----------
        Ping(ACCEPT) $FW lan:fe80::/10

        # ----------
        # lan -> $FW
        # ----------
        Ping(ACCEPT) lan:fe80::/10 $FW
        SSH(ACCEPT)  lan:fe80::/10 $FW
        Git(ACCEPT)  lan:fe80::/10 $FW
        '';
      inherit "macro.Git";
    };
  };
};
}