diff --git a/lib/constants.nix b/lib/constants.nix index fc7f52b..54d2b10 100644 --- a/lib/constants.nix +++ b/lib/constants.nix @@ -114,6 +114,33 @@ rec { }; home.v6 = "2a0e:97c0:4d0::/48"; }; + + firewallForwards = aa: [ + { + port = "http"; + dst = aa.middleman.internal.ipv4.address; + } + { + port = "https"; + dst = aa.middleman.internal.ipv4.address; + } + { + port = 8448; + dst = aa.middleman.internal.ipv4.address; + } + + { + port = 2456; + dst = aa.valheim-oci.internal.ipv4.address; + proto = "udp"; + } + { + port = 2457; + dst = aa.valheim-oci.internal.ipv4.address; + proto = "udp"; + } + ]; + fstrimConfig = { enable = true; # backup happens at 05:00 diff --git a/lib/default.nix b/lib/default.nix index 7940e05..4a8e7bd 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -1,6 +1,6 @@ { lib }: let - inherit (builtins) length match elemAt filter; + inherit (builtins) length match elemAt filter replaceStrings; inherit (lib) genAttrs mapAttrsToList filterAttrsRecursive nameValuePair types mkOption mkOverride mkForce mkIf mergeEqualOption optional @@ -123,6 +123,12 @@ rec { home-manager = mkOpt' (enum [ "unstable" "stable" "mine" "mine-stable" ]) "unstable" "Branch of home-manager to use."; }; + nft = rec { + ipEscape = replaceStrings ["." ":"] ["-" "-"]; + natFilterChain = ip: "filter-fwd-${ipEscape ip}"; + dnatChain = ip: "fwd-${ipEscape ip}"; + }; + mkVLAN = name: vid: { "25-${name}" = { netdevConfig = { diff --git a/nixos/boxes/colony/default.nix b/nixos/boxes/colony/default.nix index 82b153d..fc51902 100644 --- a/nixos/boxes/colony/default.nix +++ b/nixos/boxes/colony/default.nix @@ -1,7 +1,7 @@ { lib, ... }: let inherit (lib.my) net; - inherit (lib.my.c.colony) domain prefixes; + inherit (lib.my.c.colony) domain prefixes firewallForwards; in { imports = [ ./vms ]; @@ -351,6 +351,7 @@ in firewall = { trustedInterfaces = [ "vms" ]; + nat.forwardPorts."${allAssignments.estuary.internal.ipv4.address}" = firewallForwards allAssignments; extraRules = '' define cust = { vm-mail, vm-darts } table inet filter { diff --git a/nixos/boxes/colony/vms/estuary/default.nix b/nixos/boxes/colony/vms/estuary/default.nix index b44a815..397025f 100644 --- a/nixos/boxes/colony/vms/estuary/default.nix +++ b/nixos/boxes/colony/vms/estuary/default.nix @@ -2,7 +2,7 @@ let inherit (builtins) elemAt; inherit (lib.my) net mkVLAN; - inherit (lib.my.c.colony) pubV4 domain prefixes; + inherit (lib.my.c.colony) pubV4 domain prefixes firewallForwards; in { nixos = { @@ -356,31 +356,7 @@ in nat = { enable = true; externalInterface = "wan"; - forwardPorts."${assignments.internal.ipv4.address}" = [ - { - port = "http"; - dst = allAssignments.middleman.internal.ipv4.address; - } - { - port = "https"; - dst = allAssignments.middleman.internal.ipv4.address; - } - { - port = 8448; - dst = allAssignments.middleman.internal.ipv4.address; - } - - { - port = 2456; - dst = allAssignments.valheim-oci.internal.ipv4.address; - proto = "udp"; - } - { - port = 2457; - dst = allAssignments.valheim-oci.internal.ipv4.address; - proto = "udp"; - } - ]; + forwardPorts."${assignments.internal.ipv4.address}" = firewallForwards allAssignments; }; extraRules = let diff --git a/nixos/modules/firewall.nix b/nixos/modules/firewall.nix index 961e6dd..f44621e 100644 --- a/nixos/modules/firewall.nix +++ b/nixos/modules/firewall.nix @@ -1,6 +1,6 @@ { lib, options, config, ... }: let - inherit (builtins) typeOf replaceStrings attrNames; + inherit (builtins) typeOf attrNames; inherit (lib) optionalString concatStringsSep concatMapStringsSep mapAttrsToList optionalAttrs mkIf mkDefault mkMerge mkOverride; @@ -140,6 +140,9 @@ in chain postrouting { type nat hook postrouting priority srcnat; } + chain input { + type nat hook input priority srcnat; + } } ${cfg.extraRules} @@ -179,13 +182,22 @@ in my.firewall.extraRules = let + inherit (lib.my.nft) natFilterChain dnatChain; ipK = ip: "ip${optionalString (isIPv6 ip) "6"}"; - ipEscaped = replaceStrings ["." ":"] ["-" "-"]; makeFilter = f: "${ipK f.dst} daddr ${f.dst} ${f.proto} dport ${toString f.dstPort} accept"; makeForward = f: "${f.proto} dport ${toString f.port} dnat ${ipK f.dst} to ${f.dst}:${toString f.dstPort}"; + + dnatJumps = '' + ${optionalString + iifForward + "iifname ${cfg.nat.externalInterface} jump iif-port-forward"} + ${optionalString + dipForward + (concatMapStringsSep "\n " (ip: "${ipK ip} daddr ${ip} jump ${dnatChain ip}") (attrNames cfg.nat.forwardPorts))} + ''; in '' table inet filter { @@ -198,7 +210,7 @@ in ${optionalString dipForward (concatStringsSep "\n" (mapAttrsToList (ip: fs: '' - chain filter-fwd-${ipEscaped ip} { + chain ${natFilterChain ip} { ${concatMapStringsSep "\n " makeFilter fs} return } @@ -210,7 +222,7 @@ in "iifname ${cfg.nat.externalInterface} jump filter-iif-port-forwards"} ${optionalString dipForward - (concatMapStringsSep "\n " (ip: "${ipK ip} daddr ${ip} jump filter-fwd-${ipEscaped ip}") (attrNames cfg.nat.forwardPorts))} + (concatMapStringsSep "\n " (ip: "${ipK ip} daddr ${ip} jump ${natFilterChain ip}") (attrNames cfg.nat.forwardPorts))} } } @@ -224,19 +236,17 @@ in ${optionalString dipForward (concatStringsSep "\n" (mapAttrsToList (ip: fs: '' - chain fwd-${ipEscaped ip} { + chain ${dnatChain ip} { ${concatMapStringsSep "\n " makeForward fs} return } '') cfg.nat.forwardPorts))} chain prerouting { - ${optionalString - iifForward - "iifname ${cfg.nat.externalInterface} jump iif-port-forward"} - ${optionalString - dipForward - (concatMapStringsSep "\n " (ip: "${ipK ip} daddr ${ip} jump fwd-${ipEscaped ip}") (attrNames cfg.nat.forwardPorts))} + ${dnatJumps} + } + chain output { + ${dnatJumps} } } '';