Handle nginx open firewall by nixos-modules

2022-12-20 04:31:37 +01:00 · 2022-12-20 04:31:37 +01:00 · aafc472a59
parent a6cbac7c08
commit aafc472a59
27 changed files with 41 additions and 101 deletions
--- a/config/default.nix
+++ b/config/default.nix
@ -0,0 +1,14 @@
 { config, lib, ... }:
 # this file contains default configuration that may be turned on depending on other config settings.
 # options should go to modules.
 lib.mkIf config.services.nginx.enable {
  services.nginx = {
    openFirewall = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
  };
 }
--- a/flake.nix
+++ b/flake.nix
@ -231,14 +231,16 @@
          ({ ... }: {
            _module.args = extraArgs // {
              inherit hostRegistry inputs zentralwerk;
              lib = lib.recursiveUpdate nixpkgs.lib nixos-modules.lib;
            };
-            nixpkgs = {
+            nixpkgs.overlays = [ self.overlays ];
              overlays = [ self.overlays ];
            };
          })
          self.nixosModules.c3d2
          nixos-modules.nixosModule
          ./config
          ./modules/audio-server.nix
          ./modules/c3d2.nix
          ./modules/stats.nix
--- a/hosts/auth/default.nix
+++ b/hosts/auth/default.nix
@ -13,8 +13,6 @@
      "127.0.0.1" = [ "auth.c3d2.de" ];
    };
    firewall.allowedTCPPorts = [
      80  # http
      443 # https
      636 # ldaps
    ];
  };
@ -27,10 +25,8 @@
        forceSSL = true;
        enableACME = true;
        locations = {
          "/".proxyPass = "http://localhost:${toString config.services.portunus.port}";
          "/dex".proxyPass ="http://localhost:${toString config.services.portunus.dex.port}";
          "/" = {
            proxyPass = "http://localhost:${toString config.services.portunus.port}";
          };
        };
      };
    };
--- a/hosts/blogs/default.nix
+++ b/hosts/blogs/default.nix
@ -4,12 +4,7 @@
  microvm.mem = 2048;
  c3d2.deployment.server = "server10";
-  networking = {
+  networking.hostName = "blogs";
    hostName = "blogs";
    firewall.allowedTCPPorts = [
      80 443
    ];
  };
  # See secrets/hosts/blogs for the .env file with all settings
  services.plume = {
--- a/hosts/broker/default.nix
+++ b/hosts/broker/default.nix
@ -19,8 +19,6 @@ in
  networking = {
    hostName = "broker";
    firewall.allowedTCPPorts = [
      # nginx
      80 443
      # mosquitto
      1883 8883
    ];
--- a/hosts/buzzrelay/default.nix
+++ b/hosts/buzzrelay/default.nix
@ -6,10 +6,7 @@
    needForSpeed = true;
  };
  system.stateVersion = "22.11";
-  networking = {
+  networking.hostName = "buzzrelay";
    hostName = "buzzrelay";
    firewall.allowedTCPPorts = [ 80 443 ];
  };
  sops.defaultSopsFile = ./secrets.yaml;
  sops.secrets = {
--- a/hosts/caveman/default.nix
+++ b/hosts/caveman/default.nix
@ -12,10 +12,7 @@
    mem = 16 * 1024;
  };
-  networking = {
+  networking.hostName = "caveman";
    hostName = "caveman";
    firewall.allowedTCPPorts = [ 23 80 443 ];
  };
  services.journald.extraConfig = ''
    Storage=volatile
--- a/hosts/direkthilfe/default.nix
+++ b/hosts/direkthilfe/default.nix
@ -6,10 +6,7 @@
  environment.systemPackages = with pkgs; [ vim git ];
-  networking = {
+  networking.hostName = "direkthilfe";
    firewall.allowedTCPPorts = [ 22 80 443 ];
    hostName = "direkthilfe";
  };
  services = {
    openssh = {
--- a/hosts/ftp/default.nix
+++ b/hosts/ftp/default.nix
@ -14,10 +14,7 @@
    }];
  };
-  networking = {
+  networking.hostName = "ftp";
    hostName = "ftp";
    firewall.allowedTCPPorts = [ 80 443 ];
  };
  users.groups."ftpupload" = { };
--- a/hosts/gitea/default.nix
+++ b/hosts/gitea/default.nix
@ -11,7 +11,7 @@
      ${hosts6.up4.auth} = [ "auth.c3d2.de" ];
      ${hosts4.auth} = [ "auth.c3d2.de" ];
    };
-    firewall.allowedTCPPorts = [ 80 443 2222 ];
+    firewall.allowedTCPPorts = [ 2222 ];
  };
  services = {
--- a/hosts/grafana/default.nix
+++ b/hosts/grafana/default.nix
@ -11,8 +11,8 @@
  networking = {
    firewall = {
-      # http https influxdb
+      # influxdb
-      allowedTCPPorts = [ 80 443 8086 ];
+      allowedTCPPorts = [ 8086 ];
      # collectd
      allowedUDPPorts = [ 25826 ];
    };
--- a/hosts/hedgedoc/default.nix
+++ b/hosts/hedgedoc/default.nix
@ -17,7 +17,6 @@
      ${hosts6.up4.auth} = [ "auth.c3d2.de" ];
      ${hosts4.auth} = [ "auth.c3d2.de" ];
    };
    firewall.allowedTCPPorts = [ 80 443 ];
  };
  services = {
--- a/hosts/mailtngbert/default.nix
+++ b/hosts/mailtngbert/default.nix
@ -32,8 +32,6 @@ in
      143
      # managesieve
      4190
      # nginx for cert and rspamd
      80 443
    ];
  };
--- a/hosts/matemat/default.nix
+++ b/hosts/matemat/default.nix
@ -5,10 +5,7 @@
  microvm.mem = 2 * 1024;
-  networking = {
+  networking.hostName = "matemat";
    hostName = "matemat";
    firewall.allowedTCPPorts = [ 80 443 ];
  };
  services = {
    nginx = {
--- a/hosts/mediawiki/default.nix
+++ b/hosts/mediawiki/default.nix
@ -1,10 +1,7 @@
 { config, lib, pkgs, ... }:
 {
-  networking = {
+  networking.hostName = "mediawiki";
    firewall.allowedTCPPorts = [ 80 443 ];
    hostName = "mediawiki";
  };
  c3d2.deployment.server = "server10";
--- a/hosts/mobilizon/default.nix
+++ b/hosts/mobilizon/default.nix
@ -7,10 +7,7 @@
  microvm.mem = 2048;
-  networking = {
+  networking.hostName = "mobilizon";
    hostName = "mobilizon";
    firewall.allowedTCPPorts = [ 80 443 ];
  };
  services.postgresql.package = pkgs.postgresql_13;
--- a/hosts/network-homepage/default.nix
+++ b/hosts/network-homepage/default.nix
@ -6,10 +6,7 @@
    deployment.server = "server10";
  };
-  networking = {
+  networking.hostName = "network-homepage";
    hostName = "network-homepage";
    firewall.allowedTCPPorts = [ 22 80 443 ];
  };
  services = {
    nginx = rec {
--- a/hosts/owncast/default.nix
+++ b/hosts/owncast/default.nix
@ -16,10 +16,7 @@
  };
  c3d2.hq.statistics.enable = true;
-  networking = {
+  networking.hostName = "owncast";
    hostName = "owncast";
    firewall.allowedTCPPorts = [ 80 443 ];
  };
  services.owncast = {
    enable = true;
@ -28,9 +25,6 @@
  services.nginx = {
    enable = true;
    recommendedOptimisation = true;
    recommendedTlsSettings = true;
    recommendedGzipSettings = true;
    additionalModules = [ pkgs.nginxModules.fancyindex ];
    virtualHosts."owncast.c3d2.de" = {
      default = true;
--- a/hosts/prometheus/default.nix
+++ b/hosts/prometheus/default.nix
@ -1,23 +1,14 @@
 { zentralwerk, config, lib, ... }:
 {
-  deployment = {
+  deployment.mem = 1024;
    mem = 1024;
  };
  networking = {
    hostName = "prometheus";
-    firewall = {
+    firewall.allowedUDPPorts = [
-      allowedTCPPorts = [
+      # services.prometheus.exporters.collectd.collectdBinary
-        # nginx
+      25826
-        80 443
+    ];
      ];
      allowedUDPPorts = [
        # services.prometheus.exporters.collectd.collectdBinary
        25826
      ];
      enable = true;
    };
  };
  services.prometheus = {
--- a/hosts/pulsebert/default.nix
+++ b/hosts/pulsebert/default.nix
@ -48,8 +48,6 @@
  networking = {
    firewall = {
      allowedTCPPorts = [
        # nginx
        80 443
        # pulseaudio/pipewire network sync
        4713
        # llmnr
@ -64,9 +62,7 @@
    };
    hostName = "pulsebert";
    useDHCP = false;
-    interfaces = {
+    interfaces.eth0.useDHCP = true;
      eth0.useDHCP = true;
    };
  };
  environment.systemPackages = with pkgs; [
--- a/hosts/scrape/default.nix
+++ b/hosts/scrape/default.nix
@ -37,7 +37,6 @@ in {
      '';
    };
  };
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  systemd.services = let
    scraperPkgs = import scrapers { inherit pkgs; };
--- a/hosts/sdrweb/default.nix
+++ b/hosts/sdrweb/default.nix
@ -16,9 +16,6 @@
  networking.hostName = "sdrweb";
  # http https
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  services.nginx = {
    enable = true;
    virtualHosts."sdr.hq.c3d2.de" = {
--- a/hosts/sshlog/default.nix
+++ b/hosts/sshlog/default.nix
@ -12,8 +12,7 @@
  networking = {
    hostName = "sshlog";
    firewall.allowedTCPPorts = [
-      22
+      22 # not using openssh module
      80 443
    ];
  };
--- a/hosts/stream/default.nix
+++ b/hosts/stream/default.nix
@ -6,7 +6,6 @@ in
  networking.hostName = "stream";
  c3d2.hq.statistics.enable = true;
  deployment = {
    persistedShares = [ "/etc" "/home" "/var" ];
    storage = "big";
    mem = 4096;
    networks = lib.mkForce [ "pub" "serv" ];
@ -42,7 +41,6 @@ in
      networkConfig.IPv6AcceptRA = true;
    };
  };
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  services.peerflix.enable = true;
  systemd.services.peerflix.serviceConfig = {
--- a/hosts/ticker/default.nix
+++ b/hosts/ticker/default.nix
@ -8,10 +8,7 @@
    hq.statistics.enable = true;
  };
-  networking = {
+  networking.hostName = "ticker";
    hostName = "ticker";
    firewall.allowedTCPPorts = [ 22 80 443 ];
  };
  services = {
    nginx = {
--- a/hosts/zengel/default.nix
+++ b/hosts/zengel/default.nix
@ -5,8 +5,6 @@
  microvm.mem = 1024;
  c3d2.deployment.server = "server10";
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  services.engelsystem = {
    enable = true;
    domain = "zengel.datenspuren.de";
--- a/modules/c3d2.nix
+++ b/modules/c3d2.nix
@ -345,13 +345,6 @@ in
        vim.defaultEditor = true;
      };
      services.nginx = lib.mkIf config.services.nginx.enable {
        recommendedGzipSettings = true;
        recommendedOptimisation = true;
        recommendedProxySettings = true;
        recommendedTlsSettings = true;
      };
      time.timeZone = lib.mkDefault "Europe/Berlin";
      # Reboot on hang