From aafc472a59b968806f05922b56ae964664678ab8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Tue, 20 Dec 2022 04:31:37 +0100 Subject: [PATCH] Handle nginx open firewall by nixos-modules --- config/default.nix | 14 ++++++++++++++ flake.nix | 8 +++++--- hosts/auth/default.nix | 6 +----- hosts/blogs/default.nix | 7 +------ hosts/broker/default.nix | 2 -- hosts/buzzrelay/default.nix | 5 +---- hosts/caveman/default.nix | 5 +---- hosts/direkthilfe/default.nix | 5 +---- hosts/ftp/default.nix | 5 +---- hosts/gitea/default.nix | 2 +- hosts/grafana/default.nix | 4 ++-- hosts/hedgedoc/default.nix | 1 - hosts/mailtngbert/default.nix | 2 -- hosts/matemat/default.nix | 5 +---- hosts/mediawiki/default.nix | 5 +---- hosts/mobilizon/default.nix | 5 +---- hosts/network-homepage/default.nix | 5 +---- hosts/owncast/default.nix | 8 +------- hosts/prometheus/default.nix | 19 +++++-------------- hosts/pulsebert/default.nix | 6 +----- hosts/scrape/default.nix | 1 - hosts/sdrweb/default.nix | 3 --- hosts/sshlog/default.nix | 3 +-- hosts/stream/default.nix | 2 -- hosts/ticker/default.nix | 5 +---- hosts/zengel/default.nix | 2 -- modules/c3d2.nix | 7 ------- 27 files changed, 41 insertions(+), 101 deletions(-) create mode 100644 config/default.nix diff --git a/config/default.nix b/config/default.nix new file mode 100644 index 00000000..5385ae01 --- /dev/null +++ b/config/default.nix @@ -0,0 +1,14 @@ +{ config, lib, ... }: + +# this file contains default configuration that may be turned on depending on other config settings. +# options should go to modules. + +lib.mkIf config.services.nginx.enable { + services.nginx = { + openFirewall = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + }; +} diff --git a/flake.nix b/flake.nix index 878b0fd1..456ec400 100644 --- a/flake.nix +++ b/flake.nix @@ -231,14 +231,16 @@ ({ ... }: { _module.args = extraArgs // { inherit hostRegistry inputs zentralwerk; + + lib = lib.recursiveUpdate nixpkgs.lib nixos-modules.lib; }; - nixpkgs = { - overlays = [ self.overlays ]; - }; + nixpkgs.overlays = [ self.overlays ]; }) self.nixosModules.c3d2 + nixos-modules.nixosModule + ./config ./modules/audio-server.nix ./modules/c3d2.nix ./modules/stats.nix diff --git a/hosts/auth/default.nix b/hosts/auth/default.nix index d30841f5..75ac8f89 100644 --- a/hosts/auth/default.nix +++ b/hosts/auth/default.nix @@ -13,8 +13,6 @@ "127.0.0.1" = [ "auth.c3d2.de" ]; }; firewall.allowedTCPPorts = [ - 80 # http - 443 # https 636 # ldaps ]; }; @@ -27,10 +25,8 @@ forceSSL = true; enableACME = true; locations = { + "/".proxyPass = "http://localhost:${toString config.services.portunus.port}"; "/dex".proxyPass ="http://localhost:${toString config.services.portunus.dex.port}"; - "/" = { - proxyPass = "http://localhost:${toString config.services.portunus.port}"; - }; }; }; }; diff --git a/hosts/blogs/default.nix b/hosts/blogs/default.nix index 4a8c9f16..42c98e7f 100644 --- a/hosts/blogs/default.nix +++ b/hosts/blogs/default.nix @@ -4,12 +4,7 @@ microvm.mem = 2048; c3d2.deployment.server = "server10"; - networking = { - hostName = "blogs"; - firewall.allowedTCPPorts = [ - 80 443 - ]; - }; + networking.hostName = "blogs"; # See secrets/hosts/blogs for the .env file with all settings services.plume = { diff --git a/hosts/broker/default.nix b/hosts/broker/default.nix index 65137c62..dad2a2f1 100644 --- a/hosts/broker/default.nix +++ b/hosts/broker/default.nix @@ -19,8 +19,6 @@ in networking = { hostName = "broker"; firewall.allowedTCPPorts = [ - # nginx - 80 443 # mosquitto 1883 8883 ]; diff --git a/hosts/buzzrelay/default.nix b/hosts/buzzrelay/default.nix index 7feb36ca..4b115c5f 100644 --- a/hosts/buzzrelay/default.nix +++ b/hosts/buzzrelay/default.nix @@ -6,10 +6,7 @@ needForSpeed = true; }; system.stateVersion = "22.11"; - networking = { - hostName = "buzzrelay"; - firewall.allowedTCPPorts = [ 80 443 ]; - }; + networking.hostName = "buzzrelay"; sops.defaultSopsFile = ./secrets.yaml; sops.secrets = { diff --git a/hosts/caveman/default.nix b/hosts/caveman/default.nix index 7caa449d..a06c8f4f 100644 --- a/hosts/caveman/default.nix +++ b/hosts/caveman/default.nix @@ -12,10 +12,7 @@ mem = 16 * 1024; }; - networking = { - hostName = "caveman"; - firewall.allowedTCPPorts = [ 23 80 443 ]; - }; + networking.hostName = "caveman"; services.journald.extraConfig = '' Storage=volatile diff --git a/hosts/direkthilfe/default.nix b/hosts/direkthilfe/default.nix index cc7d6e55..70bd95ce 100644 --- a/hosts/direkthilfe/default.nix +++ b/hosts/direkthilfe/default.nix @@ -6,10 +6,7 @@ environment.systemPackages = with pkgs; [ vim git ]; - networking = { - firewall.allowedTCPPorts = [ 22 80 443 ]; - hostName = "direkthilfe"; - }; + networking.hostName = "direkthilfe"; services = { openssh = { diff --git a/hosts/ftp/default.nix b/hosts/ftp/default.nix index 7146babf..08842b5d 100644 --- a/hosts/ftp/default.nix +++ b/hosts/ftp/default.nix @@ -14,10 +14,7 @@ }]; }; - networking = { - hostName = "ftp"; - firewall.allowedTCPPorts = [ 80 443 ]; - }; + networking.hostName = "ftp"; users.groups."ftpupload" = { }; diff --git a/hosts/gitea/default.nix b/hosts/gitea/default.nix index 1cae55b9..b4261d86 100644 --- a/hosts/gitea/default.nix +++ b/hosts/gitea/default.nix @@ -11,7 +11,7 @@ ${hosts6.up4.auth} = [ "auth.c3d2.de" ]; ${hosts4.auth} = [ "auth.c3d2.de" ]; }; - firewall.allowedTCPPorts = [ 80 443 2222 ]; + firewall.allowedTCPPorts = [ 2222 ]; }; services = { diff --git a/hosts/grafana/default.nix b/hosts/grafana/default.nix index bedcf7de..7defa9dd 100644 --- a/hosts/grafana/default.nix +++ b/hosts/grafana/default.nix @@ -11,8 +11,8 @@ networking = { firewall = { - # http https influxdb - allowedTCPPorts = [ 80 443 8086 ]; + # influxdb + allowedTCPPorts = [ 8086 ]; # collectd allowedUDPPorts = [ 25826 ]; }; diff --git a/hosts/hedgedoc/default.nix b/hosts/hedgedoc/default.nix index db65bbe1..0510dbb5 100644 --- a/hosts/hedgedoc/default.nix +++ b/hosts/hedgedoc/default.nix @@ -17,7 +17,6 @@ ${hosts6.up4.auth} = [ "auth.c3d2.de" ]; ${hosts4.auth} = [ "auth.c3d2.de" ]; }; - firewall.allowedTCPPorts = [ 80 443 ]; }; services = { diff --git a/hosts/mailtngbert/default.nix b/hosts/mailtngbert/default.nix index 8c736120..d4691490 100644 --- a/hosts/mailtngbert/default.nix +++ b/hosts/mailtngbert/default.nix @@ -32,8 +32,6 @@ in 143 # managesieve 4190 - # nginx for cert and rspamd - 80 443 ]; }; diff --git a/hosts/matemat/default.nix b/hosts/matemat/default.nix index 6b8e950d..4ef75cb2 100644 --- a/hosts/matemat/default.nix +++ b/hosts/matemat/default.nix @@ -5,10 +5,7 @@ microvm.mem = 2 * 1024; - networking = { - hostName = "matemat"; - firewall.allowedTCPPorts = [ 80 443 ]; - }; + networking.hostName = "matemat"; services = { nginx = { diff --git a/hosts/mediawiki/default.nix b/hosts/mediawiki/default.nix index d9b411c0..d9379180 100644 --- a/hosts/mediawiki/default.nix +++ b/hosts/mediawiki/default.nix @@ -1,10 +1,7 @@ { config, lib, pkgs, ... }: { - networking = { - firewall.allowedTCPPorts = [ 80 443 ]; - hostName = "mediawiki"; - }; + networking.hostName = "mediawiki"; c3d2.deployment.server = "server10"; diff --git a/hosts/mobilizon/default.nix b/hosts/mobilizon/default.nix index 4cf628ee..e8da6ac1 100644 --- a/hosts/mobilizon/default.nix +++ b/hosts/mobilizon/default.nix @@ -7,10 +7,7 @@ microvm.mem = 2048; - networking = { - hostName = "mobilizon"; - firewall.allowedTCPPorts = [ 80 443 ]; - }; + networking.hostName = "mobilizon"; services.postgresql.package = pkgs.postgresql_13; diff --git a/hosts/network-homepage/default.nix b/hosts/network-homepage/default.nix index ed84a475..eaecdc62 100644 --- a/hosts/network-homepage/default.nix +++ b/hosts/network-homepage/default.nix @@ -6,10 +6,7 @@ deployment.server = "server10"; }; - networking = { - hostName = "network-homepage"; - firewall.allowedTCPPorts = [ 22 80 443 ]; - }; + networking.hostName = "network-homepage"; services = { nginx = rec { diff --git a/hosts/owncast/default.nix b/hosts/owncast/default.nix index 7d7a3759..03cc76ce 100644 --- a/hosts/owncast/default.nix +++ b/hosts/owncast/default.nix @@ -16,10 +16,7 @@ }; c3d2.hq.statistics.enable = true; - networking = { - hostName = "owncast"; - firewall.allowedTCPPorts = [ 80 443 ]; - }; + networking.hostName = "owncast"; services.owncast = { enable = true; @@ -28,9 +25,6 @@ services.nginx = { enable = true; - recommendedOptimisation = true; - recommendedTlsSettings = true; - recommendedGzipSettings = true; additionalModules = [ pkgs.nginxModules.fancyindex ]; virtualHosts."owncast.c3d2.de" = { default = true; diff --git a/hosts/prometheus/default.nix b/hosts/prometheus/default.nix index 70222e0a..8e6bca98 100644 --- a/hosts/prometheus/default.nix +++ b/hosts/prometheus/default.nix @@ -1,23 +1,14 @@ { zentralwerk, config, lib, ... }: { - deployment = { - mem = 1024; - }; + deployment.mem = 1024; networking = { hostName = "prometheus"; - firewall = { - allowedTCPPorts = [ - # nginx - 80 443 - ]; - allowedUDPPorts = [ - # services.prometheus.exporters.collectd.collectdBinary - 25826 - ]; - enable = true; - }; + firewall.allowedUDPPorts = [ + # services.prometheus.exporters.collectd.collectdBinary + 25826 + ]; }; services.prometheus = { diff --git a/hosts/pulsebert/default.nix b/hosts/pulsebert/default.nix index 91c86cf8..09fec445 100644 --- a/hosts/pulsebert/default.nix +++ b/hosts/pulsebert/default.nix @@ -48,8 +48,6 @@ networking = { firewall = { allowedTCPPorts = [ - # nginx - 80 443 # pulseaudio/pipewire network sync 4713 # llmnr @@ -64,9 +62,7 @@ }; hostName = "pulsebert"; useDHCP = false; - interfaces = { - eth0.useDHCP = true; - }; + interfaces.eth0.useDHCP = true; }; environment.systemPackages = with pkgs; [ diff --git a/hosts/scrape/default.nix b/hosts/scrape/default.nix index 3318ca57..a5c7f6d1 100644 --- a/hosts/scrape/default.nix +++ b/hosts/scrape/default.nix @@ -37,7 +37,6 @@ in { ''; }; }; - networking.firewall.allowedTCPPorts = [ 80 443 ]; systemd.services = let scraperPkgs = import scrapers { inherit pkgs; }; diff --git a/hosts/sdrweb/default.nix b/hosts/sdrweb/default.nix index 19586799..263123c5 100644 --- a/hosts/sdrweb/default.nix +++ b/hosts/sdrweb/default.nix @@ -16,9 +16,6 @@ networking.hostName = "sdrweb"; - # http https - networking.firewall.allowedTCPPorts = [ 80 443 ]; - services.nginx = { enable = true; virtualHosts."sdr.hq.c3d2.de" = { diff --git a/hosts/sshlog/default.nix b/hosts/sshlog/default.nix index c9376554..39854c5d 100644 --- a/hosts/sshlog/default.nix +++ b/hosts/sshlog/default.nix @@ -12,8 +12,7 @@ networking = { hostName = "sshlog"; firewall.allowedTCPPorts = [ - 22 - 80 443 + 22 # not using openssh module ]; }; diff --git a/hosts/stream/default.nix b/hosts/stream/default.nix index b2b985ae..b9a14589 100644 --- a/hosts/stream/default.nix +++ b/hosts/stream/default.nix @@ -6,7 +6,6 @@ in networking.hostName = "stream"; c3d2.hq.statistics.enable = true; deployment = { - persistedShares = [ "/etc" "/home" "/var" ]; storage = "big"; mem = 4096; networks = lib.mkForce [ "pub" "serv" ]; @@ -42,7 +41,6 @@ in networkConfig.IPv6AcceptRA = true; }; }; - networking.firewall.allowedTCPPorts = [ 80 443 ]; services.peerflix.enable = true; systemd.services.peerflix.serviceConfig = { diff --git a/hosts/ticker/default.nix b/hosts/ticker/default.nix index 68cc8e1e..b64ba704 100644 --- a/hosts/ticker/default.nix +++ b/hosts/ticker/default.nix @@ -8,10 +8,7 @@ hq.statistics.enable = true; }; - networking = { - hostName = "ticker"; - firewall.allowedTCPPorts = [ 22 80 443 ]; - }; + networking.hostName = "ticker"; services = { nginx = { diff --git a/hosts/zengel/default.nix b/hosts/zengel/default.nix index 1afc96de..0ebe719e 100644 --- a/hosts/zengel/default.nix +++ b/hosts/zengel/default.nix @@ -5,8 +5,6 @@ microvm.mem = 1024; c3d2.deployment.server = "server10"; - networking.firewall.allowedTCPPorts = [ 80 443 ]; - services.engelsystem = { enable = true; domain = "zengel.datenspuren.de"; diff --git a/modules/c3d2.nix b/modules/c3d2.nix index 5bce529e..15035372 100644 --- a/modules/c3d2.nix +++ b/modules/c3d2.nix @@ -345,13 +345,6 @@ in vim.defaultEditor = true; }; - services.nginx = lib.mkIf config.services.nginx.enable { - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - }; - time.timeZone = lib.mkDefault "Europe/Berlin"; # Reboot on hang