]> Git — Sourcephile - sourcephile-nix.git/blob - servers/mermet/production/shorewall.nix
x509: send the key once for root, not one per service
[sourcephile-nix.git] / servers / mermet / production / shorewall.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (builtins) hasAttr readFile;
4 inherit (pkgs.lib) unlinesAttrs;
5 inherit (config) users;
6 inherit (config.services) shorewall shorewall6;
7 fw2net = ''
8 # By protocol
9 Ping(ACCEPT) $FW net
10
11 # By port
12 DNS(ACCEPT) $FW net {user=${users.users.unbound.name}}
13 Git(ACCEPT) $FW net
14 HTTP(ACCEPT) $FW net
15 HTTPS(ACCEPT) $FW net
16 SMTP(ACCEPT) $FW net
17 SMTPS(ACCEPT) $FW net
18 SSH(ACCEPT) $FW net
19 '';
20 net2fw = ''
21 # By protocol
22 Ping(ACCEPT) net $FW
23
24 # By port
25 DNS(ACCEPT) net $FW
26 HTTP(ACCEPT) net $FW
27 HTTPS(ACCEPT) net $FW
28 IMAPS(ACCEPT) net $FW
29 Mosh(ACCEPT) net $FW
30 POP3S(ACCEPT) net $FW
31 SMTP(ACCEPT) net $FW
32 SMTPS(ACCEPT) net $FW
33 SSH(ACCEPT) net $FW
34 Sieve(ACCEPT) net $FW
35 '';
36 fw2lan = ''
37 Ping(ACCEPT) $FW lan
38 DNS(ACCEPT) $FW lan
39 HTTPS(ACCEPT) $FW lan
40 '';
41 lan2fw = ''
42 Ping(ACCEPT) lan $FW
43 SSH(ACCEPT) lan $FW
44 HTTP(ACCEPT) lan $FW
45 HTTPS(ACCEPT) lan $FW
46 DNS(ACCEPT) lan $FW
47 '';
48 macros = {
49 "macro.Git" = ''
50 ?FORMAT 2
51 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
52 # PORT(S) PORT(S) LIMIT GROUP
53 PARAM - - tcp 9418
54 '';
55 "macro.Mosh" = ''
56 ?FORMAT 2
57 #ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
58 # PORT(S) PORT(S) LIMIT GROUP
59 PARAM - - udp 60000-61000
60 '';
61 };
62 in
63 {
64 services.shorewall = {
65 enable = true;
66 configs = macros // {
67 "shorewall.conf" = ''
68 ${readFile "${shorewall.package}/etc-example/shorewall/shorewall.conf"}
69 #
70 ## Custom config
71 ###
72 STARTUP_ENABLED=Yes
73 ZONE2ZONE=2
74 '';
75 zones = ''
76 # DOC: shorewall-zones(5)
77 fw firewall
78 net ipv4
79 lan ipv4
80 unused ipv4
81 '';
82 interfaces = ''
83 # DOC: shorewall-interfaces(5)
84 ?FORMAT 2
85 net enp1s0 arp_filter,nosmurfs,routefilter=1,tcpflags
86 lan enp2s0 arp_filter,nosmurfs,routefilter=1,tcpflags
87 unused enp3s0 arp_filter,nosmurfs,routefilter=1,tcpflags
88 '';
89 policy = ''
90 # DOC: shorewall-policy(5)
91 $FW all DROP
92 lan all DROP none
93 net all DROP none
94 unused all DROP none
95 # WARNING: the following policy must be last
96 all all REJECT none
97 '';
98 rules = ''
99 # DOC: shorewall-rules(5)
100 #SECTION ALL
101 #SECTION ESTABLISHED
102 #SECTION RELATED
103 ?SECTION NEW
104
105 ${fw2net}
106 ${net2fw}
107
108 ${fw2lan}
109 ${lan2fw}
110 '';
111 };
112 };
113 services.shorewall6 = {
114 enable = true;
115 configs = macros // {
116 "shorewall6.conf" = ''
117 ${readFile "${shorewall6.package}/etc-example/shorewall6/shorewall6.conf"}
118 #
119 ## Custom config
120 ###
121 STARTUP_ENABLED=Yes
122 ZONE2ZONE=2
123 '';
124 zones = ''
125 # DOC: shorewall-zones(5)
126 fw firewall
127 net ipv6
128 lan ipv6
129 unused ipv6
130 '';
131 interfaces = ''
132 # DOC: shorewall-interfaces(5)
133 ?FORMAT 2
134 net enp1s0 nosmurfs,tcpflags
135 lan enp2s0 nosmurfs,tcpflags
136 unused enp3s0 nosmurfs,tcpflags
137 '';
138 policy = ''
139 # DOC: shorewall-policy(5)
140 $FW all DROP
141 lan all DROP none
142 net all DROP none
143 unused all DROP none
144 # WARNING: the following policy must be last
145 all all REJECT none
146 '';
147 rules = ''
148 # DOC: shorewall-rules(5)
149 #SECTION ALL
150 #SECTION ESTABLISHED
151 #SECTION RELATED
152 ?SECTION NEW
153
154 ${fw2net}
155 ${net2fw}
156
157 ${fw2lan}
158 ${lan2fw}
159 '';
160 };
161 };
162 }