From 7e5c051bfc53b59eb74e3888becf5c1fd6f55a61 Mon Sep 17 00:00:00 2001
From: Jack O'Sullivan <jackos1998@gmail.com>
Date: Sun, 12 Jun 2022 14:03:44 +0100
Subject: [PATCH] nixos/jackflix: Improve firewall

---
 .../vms/shill/containers/jackflix/default.nix | 104 ++++-----
 .../shill/containers/jackflix/networking.nix  | 211 +++++++++++-------
 2 files changed, 167 insertions(+), 148 deletions(-)

diff --git a/nixos/boxes/colony/vms/shill/containers/jackflix/default.nix b/nixos/boxes/colony/vms/shill/containers/jackflix/default.nix
index 1d22a12..18f20c0 100644
--- a/nixos/boxes/colony/vms/shill/containers/jackflix/default.nix
+++ b/nixos/boxes/colony/vms/shill/containers/jackflix/default.nix
@@ -17,85 +17,65 @@
 
     configuration = { lib, pkgs, config, ... }:
     let
-      inherit (lib) mkMerge mkIf;
+      inherit (lib);
     in
     {
       imports = [ ./networking.nix ];
 
-      config = mkMerge [
-        {
-          my = {
-            deploy.enable = false;
-            server.enable = true;
+      config = {
+        my = {
+          deploy.enable = false;
+          server.enable = true;
 
-            secrets = {
-              key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKzzAqa4821NlYfALYOlvR7YlOgxNuulTWo9Vm5L1mNU";
-            };
+          secrets = {
+            key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKzzAqa4821NlYfALYOlvR7YlOgxNuulTWo9Vm5L1mNU";
           };
+        };
 
+        users = {
+          groups.media.gid = 2000;
           users = {
-            groups.media.gid = 2000;
-            users = {
-              transmission.extraGroups = [ "media" ];
-              radarr.extraGroups = [ "media" ];
-            };
-          };
-
-          systemd = {
-            services = {
-              jackett.bindsTo = [ "systemd-networkd-wait-online@vpn.service" ];
-              transmission.bindsTo = [ "systemd-networkd-wait-online@vpn.service" ];
-
-              radarr.serviceConfig.UMask = "0002";
-            };
+            transmission.extraGroups = [ "media" ];
+            radarr.extraGroups = [ "media" ];
           };
+        };
 
+        systemd = {
           services = {
-            transmission = {
-              enable = true;
-              openPeerPorts = true;
-              openRPCPort = true;
-              downloadDirPermissions = null;
-              performanceNetParameters = true;
-              settings = {
-                download-dir = "/mnt/media/downloads/torrents";
-                incomplete-dir-enabled = true;
-                incomplete-dir = "/mnt/media/downloads/torrents/.incomplete";
-                umask = 002;
+            jackett.bindsTo = [ "systemd-networkd-wait-online@vpn.service" ];
+            transmission.bindsTo = [ "systemd-networkd-wait-online@vpn.service" ];
 
-                peer-port = 55471;
-                utp-enabled = true;
-                port-forwarding-enabled = false;
+            radarr.serviceConfig.UMask = "0002";
+          };
+        };
 
-                ratio-limit = 2.0;
-                ratio-limit-enabled = true;
+        services = {
+          transmission = {
+            enable = true;
+            downloadDirPermissions = null;
+            performanceNetParameters = true;
+            settings = {
+              download-dir = "/mnt/media/downloads/torrents";
+              incomplete-dir-enabled = true;
+              incomplete-dir = "/mnt/media/downloads/torrents/.incomplete";
+              umask = 002;
 
-                rpc-bind-address = "::";
-                rpc-whitelist-enabled = false;
-                rpc-host-whitelist-enabled = false;
-              };
-            };
+              utp-enabled = true;
+              port-forwarding-enabled = false;
 
-            jackett = {
-              enable = true;
-              openFirewall = true;
-            };
-            radarr = {
-              enable = true;
-              openFirewall = true;
+              ratio-limit = 2.0;
+              ratio-limit-enabled = true;
+
+              rpc-bind-address = "::";
+              rpc-whitelist-enabled = false;
+              rpc-host-whitelist-enabled = false;
             };
           };
-        }
-        (mkIf config.my.build.isDevVM {
-          virtualisation = {
-            forwardPorts = [
-              { from = "host"; host.port = 9117; guest.port = 9117; }
-              { from = "host"; host.port = 7878; guest.port = 7878; }
-              { from = "host"; host.port = 8989; guest.port = 8989; }
-            ];
-          };
-        })
-      ];
+
+          jackett.enable = true;
+          radarr.enable = true;
+        };
+      };
     };
   };
 }
diff --git a/nixos/boxes/colony/vms/shill/containers/jackflix/networking.nix b/nixos/boxes/colony/vms/shill/containers/jackflix/networking.nix
index 0fb640e..69b3dfe 100644
--- a/nixos/boxes/colony/vms/shill/containers/jackflix/networking.nix
+++ b/nixos/boxes/colony/vms/shill/containers/jackflix/networking.nix
@@ -1,6 +1,6 @@
 { lib, pkgs, config, assignments, ... }:
 let
-  inherit (lib) mkMerge;
+  inherit (lib) mkMerge mkIf;
   inherit (lib.my) networkdAssignment;
 
   wg = {
@@ -8,102 +8,141 @@ let
     fwMark = 42;
     routeTable = 51820;
   };
+
+  # Forwarded in Mullvad config
+  transmissionPeerPort = 55471;
 in
 {
-  config = {
-    my = {
-      secrets = {
-        files."${wg.keyFile}" = {
-          group = "systemd-network";
-          mode = "440";
+  config = mkMerge [
+    {
+      my = {
+        secrets = {
+          files."${wg.keyFile}" = {
+            group = "systemd-network";
+            mode = "440";
+          };
+        };
+
+        firewall = {
+          extraRules = ''
+            # Make sure that VPN connections are dropped (except for the Transmission port)
+            table inet filter {
+              chain tcp-ext {
+                tcp dport ${toString transmissionPeerPort} accept
+                iifname vpn return
+
+                tcp dport { 9091, 9117, 7878, 8989, 8096 } accept
+                return
+              }
+              chain input {
+                tcp flags & (fin|syn|rst|ack) == syn ct state new jump tcp-ext
+              }
+            }
+          '';
         };
       };
 
-      firewall = {
-        tcp.allowed = [ ];
+      environment.systemPackages = with pkgs; [
+        wireguard-tools
+      ];
+
+      services = {
+        transmission.settings.peer-port = transmissionPeerPort;
       };
-    };
 
-    environment.systemPackages = with pkgs; [
-      wireguard-tools
-    ];
-
-    systemd = {
-      network = {
-        netdevs."30-vpn" = with wg; {
-          netdevConfig = {
-            Name = "vpn";
-            Kind = "wireguard";
-          };
-          wireguardConfig = {
-            PrivateKeyFile = config.age.secrets."${keyFile}".path;
-            FirewallMark = fwMark;
-            RouteTable = routeTable;
-          };
-          wireguardPeers = [
-            {
-              # mlvd-de32
-              wireguardPeerConfig = {
-                Endpoint = "146.70.107.194:51820";
-                PublicKey = "uKTC5oP/zfn6SSjayiXDDR9L82X0tGYJd5LVn5kzyCc=";
-                AllowedIPs = [ "0.0.0.0/0" "::/0" ];
-              };
-            }
-          ];
-        };
-
-        networks = {
-          "80-container-host0" = mkMerge [
-            (networkdAssignment "host0" assignments.internal)
-            {
-              networkConfig.DNSDefaultRoute = false;
-            }
-          ];
-          "90-vpn" = with wg; {
-            matchConfig.Name = "vpn";
-            address = [ "10.68.19.11/32" "fc00:bbbb:bbbb:bb01::5:130a/128" ];
-            dns = [ "10.64.0.1" ];
-            routingPolicyRules = map (r: { routingPolicyRuleConfig = r; }) [
+      systemd = {
+        network = {
+          netdevs."30-vpn" = with wg; {
+            netdevConfig = {
+              Name = "vpn";
+              Kind = "wireguard";
+            };
+            wireguardConfig = {
+              PrivateKeyFile = config.age.secrets."${keyFile}".path;
+              FirewallMark = fwMark;
+              RouteTable = routeTable;
+            };
+            wireguardPeers = [
               {
-                Family = "both";
-                SuppressPrefixLength = 0;
-                Table = "main";
-                Priority = 100;
-              }
-
-              {
-                From = lib.my.colony.prefixes.all.v4;
-                Table = "main";
-                Priority = 100;
-              }
-              {
-                To = lib.my.colony.prefixes.all.v4;
-                Table = "main";
-                Priority = 100;
-              }
-
-              {
-                From = lib.my.colony.prefixes.all.v6;
-                Table = "main";
-                Priority = 100;
-              }
-              {
-                To = lib.my.colony.prefixes.all.v6;
-                Table = "main";
-                Priority = 100;
-              }
-
-              {
-                Family = "both";
-                InvertRule = true;
-                FirewallMark = fwMark;
-                Table = routeTable;
-                Priority = 110;
+                # mlvd-de32
+                wireguardPeerConfig = {
+                  Endpoint = "146.70.107.194:51820";
+                  PublicKey = "uKTC5oP/zfn6SSjayiXDDR9L82X0tGYJd5LVn5kzyCc=";
+                  AllowedIPs = [ "0.0.0.0/0" "::/0" ];
+                };
               }
             ];
           };
+
+          networks = {
+            "80-container-host0" = mkMerge [
+              (networkdAssignment "host0" assignments.internal)
+              {
+                networkConfig.DNSDefaultRoute = false;
+              }
+            ];
+            "90-vpn" = with wg; {
+              matchConfig.Name = "vpn";
+              address = [ "10.68.19.11/32" "fc00:bbbb:bbbb:bb01::5:130a/128" ];
+              dns = [ "10.64.0.1" ];
+              routingPolicyRules = map (r: { routingPolicyRuleConfig = r; }) [
+                {
+                  Family = "both";
+                  SuppressPrefixLength = 0;
+                  Table = "main";
+                  Priority = 100;
+                }
+
+                {
+                  From = lib.my.colony.prefixes.all.v4;
+                  Table = "main";
+                  Priority = 100;
+                }
+                {
+                  To = lib.my.colony.prefixes.all.v4;
+                  Table = "main";
+                  Priority = 100;
+                }
+
+                {
+                  From = lib.my.colony.prefixes.all.v6;
+                  Table = "main";
+                  Priority = 100;
+                }
+                {
+                  To = lib.my.colony.prefixes.all.v6;
+                  Table = "main";
+                  Priority = 100;
+                }
+
+                {
+                  Family = "both";
+                  InvertRule = true;
+                  FirewallMark = fwMark;
+                  Table = routeTable;
+                  Priority = 110;
+                }
+              ];
+            };
+          };
         };
       };
-    };
-  };
+    }
+    (mkIf config.my.build.isDevVM {
+      virtualisation = {
+        forwardPorts = [
+          # Transmission
+          { from = "host"; host.port = 9091; guest.port = 9091; }
+          # Jackett
+          { from = "host"; host.port = 9117; guest.port = 9117; }
+          # Radarr
+          { from = "host"; host.port = 7878; guest.port = 7878; }
+          # Sonarr
+          { from = "host"; host.port = 8989; guest.port = 8989; }
+          # Jellyfin
+          { from = "host"; host.port = 8096; guest.port = 8096; }
+        ];
+      };
+    })
+  ];
 }