Handle nginx open firewall by nixos-modules

2022-12-20 04:31:37 +01:00 · 2022-12-20 04:31:37 +01:00 · aafc472a59
parent a6cbac7c08
commit aafc472a59
27 changed files with 41 additions and 101 deletions
--- a/config/default.nix
+++ b/config/default.nix
@ -0,0 +1,14 @@
+{ config, lib, ... }:
+
+# this file contains default configuration that may be turned on depending on other config settings.
+# options should go to modules.
+
+lib.mkIf config.services.nginx.enable {
+  services.nginx = {
+    openFirewall = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+  };
+}
--- a/flake.nix
+++ b/flake.nix
@ -231,14 +231,16 @@
          ({ ... }: {
            _module.args = extraArgs // {
              inherit hostRegistry inputs zentralwerk;
+
+              lib = lib.recursiveUpdate nixpkgs.lib nixos-modules.lib;
            };

-            nixpkgs = {
-              overlays = [ self.overlays ];
-            };
+            nixpkgs.overlays = [ self.overlays ];
          })

          self.nixosModules.c3d2
+          nixos-modules.nixosModule
+          ./config
          ./modules/audio-server.nix
          ./modules/c3d2.nix
          ./modules/stats.nix
--- a/hosts/auth/default.nix
+++ b/hosts/auth/default.nix
@ -13,8 +13,6 @@
      "127.0.0.1" = [ "auth.c3d2.de" ];
    };
    firewall.allowedTCPPorts = [
-      80  # http
-      443 # https
      636 # ldaps
    ];
  };
@ -27,10 +25,8 @@
        forceSSL = true;
        enableACME = true;
        locations = {
+          "/".proxyPass = "http://localhost:${toString config.services.portunus.port}";
          "/dex".proxyPass ="http://localhost:${toString config.services.portunus.dex.port}";
-          "/" = {
-            proxyPass = "http://localhost:${toString config.services.portunus.port}";
-          };
        };
      };
    };
--- a/hosts/blogs/default.nix
+++ b/hosts/blogs/default.nix
@ -4,12 +4,7 @@
  microvm.mem = 2048;
  c3d2.deployment.server = "server10";

-  networking = {
-    hostName = "blogs";
-    firewall.allowedTCPPorts = [
-      80 443
-    ];
-  };
+  networking.hostName = "blogs";

  # See secrets/hosts/blogs for the .env file with all settings
  services.plume = {
--- a/hosts/broker/default.nix
+++ b/hosts/broker/default.nix
@ -19,8 +19,6 @@ in
  networking = {
    hostName = "broker";
    firewall.allowedTCPPorts = [
-      # nginx
-      80 443
      # mosquitto
      1883 8883
    ];
--- a/hosts/buzzrelay/default.nix
+++ b/hosts/buzzrelay/default.nix
@ -6,10 +6,7 @@
    needForSpeed = true;
  };
  system.stateVersion = "22.11";
-  networking = {
-    hostName = "buzzrelay";
-    firewall.allowedTCPPorts = [ 80 443 ];
-  };
+  networking.hostName = "buzzrelay";

  sops.defaultSopsFile = ./secrets.yaml;
  sops.secrets = {
--- a/hosts/caveman/default.nix
+++ b/hosts/caveman/default.nix
@ -12,10 +12,7 @@
    mem = 16 * 1024;
  };

-  networking = {
-    hostName = "caveman";
-    firewall.allowedTCPPorts = [ 23 80 443 ];
-  };
+  networking.hostName = "caveman";

  services.journald.extraConfig = ''
    Storage=volatile
--- a/hosts/direkthilfe/default.nix
+++ b/hosts/direkthilfe/default.nix
@ -6,10 +6,7 @@

  environment.systemPackages = with pkgs; [ vim git ];

-  networking = {
-    firewall.allowedTCPPorts = [ 22 80 443 ];
-    hostName = "direkthilfe";
-  };
+  networking.hostName = "direkthilfe";

  services = {
    openssh = {
--- a/hosts/ftp/default.nix
+++ b/hosts/ftp/default.nix
@ -14,10 +14,7 @@
    }];
  };

-  networking = {
-    hostName = "ftp";
-    firewall.allowedTCPPorts = [ 80 443 ];
-  };
+  networking.hostName = "ftp";

  users.groups."ftpupload" = { };

--- a/hosts/gitea/default.nix
+++ b/hosts/gitea/default.nix
@ -11,7 +11,7 @@
      ${hosts6.up4.auth} = [ "auth.c3d2.de" ];
      ${hosts4.auth} = [ "auth.c3d2.de" ];
    };
-    firewall.allowedTCPPorts = [ 80 443 2222 ];
+    firewall.allowedTCPPorts = [ 2222 ];
  };

  services = {
--- a/hosts/grafana/default.nix
+++ b/hosts/grafana/default.nix
@ -11,8 +11,8 @@

  networking = {
    firewall = {
-      # http https influxdb
-      allowedTCPPorts = [ 80 443 8086 ];
+      # influxdb
+      allowedTCPPorts = [ 8086 ];
      # collectd
      allowedUDPPorts = [ 25826 ];
    };
--- a/hosts/hedgedoc/default.nix
+++ b/hosts/hedgedoc/default.nix
@ -17,7 +17,6 @@
      ${hosts6.up4.auth} = [ "auth.c3d2.de" ];
      ${hosts4.auth} = [ "auth.c3d2.de" ];
    };
-    firewall.allowedTCPPorts = [ 80 443 ];
  };

  services = {
--- a/hosts/mailtngbert/default.nix
+++ b/hosts/mailtngbert/default.nix
@ -32,8 +32,6 @@ in
      143
      # managesieve
      4190
-      # nginx for cert and rspamd
-      80 443
    ];
  };

--- a/hosts/matemat/default.nix
+++ b/hosts/matemat/default.nix
@ -5,10 +5,7 @@

  microvm.mem = 2 * 1024;

-  networking = {
-    hostName = "matemat";
-    firewall.allowedTCPPorts = [ 80 443 ];
-  };
+  networking.hostName = "matemat";

  services = {
    nginx = {
--- a/hosts/mediawiki/default.nix
+++ b/hosts/mediawiki/default.nix
@ -1,10 +1,7 @@
 { config, lib, pkgs, ... }:

 {
-  networking = {
-    firewall.allowedTCPPorts = [ 80 443 ];
-    hostName = "mediawiki";
-  };
+  networking.hostName = "mediawiki";

  c3d2.deployment.server = "server10";

--- a/hosts/mobilizon/default.nix
+++ b/hosts/mobilizon/default.nix
@ -7,10 +7,7 @@

  microvm.mem = 2048;

-  networking = {
-    hostName = "mobilizon";
-    firewall.allowedTCPPorts = [ 80 443 ];
-  };
+  networking.hostName = "mobilizon";

  services.postgresql.package = pkgs.postgresql_13;

--- a/hosts/network-homepage/default.nix
+++ b/hosts/network-homepage/default.nix
@ -6,10 +6,7 @@
    deployment.server = "server10";
  };

-  networking = {
-    hostName = "network-homepage";
-    firewall.allowedTCPPorts = [ 22 80 443 ];
-  };
+  networking.hostName = "network-homepage";

  services = {
    nginx = rec {
--- a/hosts/owncast/default.nix
+++ b/hosts/owncast/default.nix
@ -16,10 +16,7 @@
  };
  c3d2.hq.statistics.enable = true;

-  networking = {
-    hostName = "owncast";
-    firewall.allowedTCPPorts = [ 80 443 ];
-  };
+  networking.hostName = "owncast";

  services.owncast = {
    enable = true;
@ -28,9 +25,6 @@

  services.nginx = {
    enable = true;
-    recommendedOptimisation = true;
-    recommendedTlsSettings = true;
-    recommendedGzipSettings = true;
    additionalModules = [ pkgs.nginxModules.fancyindex ];
    virtualHosts."owncast.c3d2.de" = {
      default = true;
--- a/hosts/prometheus/default.nix
+++ b/hosts/prometheus/default.nix
@ -1,23 +1,14 @@
 { zentralwerk, config, lib, ... }:

 {
-  deployment = {
-    mem = 1024;
-  };
+  deployment.mem = 1024;

  networking = {
    hostName = "prometheus";
-    firewall = {
-      allowedTCPPorts = [
-        # nginx
-        80 443
-      ];
-      allowedUDPPorts = [
-        # services.prometheus.exporters.collectd.collectdBinary
-        25826
-      ];
-      enable = true;
-    };
+    firewall.allowedUDPPorts = [
+      # services.prometheus.exporters.collectd.collectdBinary
+      25826
+    ];
  };

  services.prometheus = {
--- a/hosts/pulsebert/default.nix
+++ b/hosts/pulsebert/default.nix
@ -48,8 +48,6 @@
  networking = {
    firewall = {
      allowedTCPPorts = [
-        # nginx
-        80 443
        # pulseaudio/pipewire network sync
        4713
        # llmnr
@ -64,9 +62,7 @@
    };
    hostName = "pulsebert";
    useDHCP = false;
-    interfaces = {
-      eth0.useDHCP = true;
-    };
+    interfaces.eth0.useDHCP = true;
  };

  environment.systemPackages = with pkgs; [
--- a/hosts/scrape/default.nix
+++ b/hosts/scrape/default.nix
@ -37,7 +37,6 @@ in {
      '';
    };
  };
-  networking.firewall.allowedTCPPorts = [ 80 443 ];

  systemd.services = let
    scraperPkgs = import scrapers { inherit pkgs; };
--- a/hosts/sdrweb/default.nix
+++ b/hosts/sdrweb/default.nix
@ -16,9 +16,6 @@

  networking.hostName = "sdrweb";

-  # http https
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
-
  services.nginx = {
    enable = true;
    virtualHosts."sdr.hq.c3d2.de" = {
--- a/hosts/sshlog/default.nix
+++ b/hosts/sshlog/default.nix
@ -12,8 +12,7 @@
  networking = {
    hostName = "sshlog";
    firewall.allowedTCPPorts = [
-      22
-      80 443
+      22 # not using openssh module
    ];
  };
  
--- a/hosts/stream/default.nix
+++ b/hosts/stream/default.nix
@ -6,7 +6,6 @@ in
  networking.hostName = "stream";
  c3d2.hq.statistics.enable = true;
  deployment = {
-    persistedShares = [ "/etc" "/home" "/var" ];
    storage = "big";
    mem = 4096;
    networks = lib.mkForce [ "pub" "serv" ];
@ -42,7 +41,6 @@ in
      networkConfig.IPv6AcceptRA = true;
    };
  };
-  networking.firewall.allowedTCPPorts = [ 80 443 ];

  services.peerflix.enable = true;
  systemd.services.peerflix.serviceConfig = {
--- a/hosts/ticker/default.nix
+++ b/hosts/ticker/default.nix
@ -8,10 +8,7 @@
    hq.statistics.enable = true;
  };

-  networking = {
-    hostName = "ticker";
-    firewall.allowedTCPPorts = [ 22 80 443 ];
-  };
+  networking.hostName = "ticker";

  services = {
    nginx = {
--- a/hosts/zengel/default.nix
+++ b/hosts/zengel/default.nix
@ -5,8 +5,6 @@
  microvm.mem = 1024;
  c3d2.deployment.server = "server10";

-  networking.firewall.allowedTCPPorts = [ 80 443 ];
-
  services.engelsystem = {
    enable = true;
    domain = "zengel.datenspuren.de";
--- a/modules/c3d2.nix
+++ b/modules/c3d2.nix
@ -345,13 +345,6 @@ in
        vim.defaultEditor = true;
      };

-      services.nginx = lib.mkIf config.services.nginx.enable {
-        recommendedGzipSettings = true;
-        recommendedOptimisation = true;
-        recommendedProxySettings = true;
-        recommendedTlsSettings = true;
-      };
-
      time.timeZone = lib.mkDefault "Europe/Berlin";

      # Reboot on hang