From f7dc0c39864f2670924f74d5d5799d92e1618958 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Mon, 5 Jun 2023 19:56:03 +0200 Subject: [PATCH] Enable firewall everywhere --- hosts/dacbert/default.nix | 1 - hosts/freifunk/default.nix | 1 - hosts/gnunet/default.nix | 5 +---- hosts/hydra/default.nix | 1 - hosts/jabber/default.nix | 37 ++++++++++++++++++----------------- hosts/nfsroot/default.nix | 6 +----- hosts/nfsroot/tftp.nix | 2 -- hosts/nncp/default.nix | 5 +---- hosts/radiobert/default.nix | 1 - hosts/rpi-netboot/default.nix | 1 - hosts/server10/default.nix | 4 ---- hosts/spaceapi/default.nix | 8 +------- 12 files changed, 23 insertions(+), 49 deletions(-) diff --git a/hosts/dacbert/default.nix b/hosts/dacbert/default.nix index 791ca374..d2070b48 100644 --- a/hosts/dacbert/default.nix +++ b/hosts/dacbert/default.nix @@ -107,7 +107,6 @@ in hostName = "dacbert"; # Define your hostname. useDHCP = false; interfaces.eth0.useDHCP = true; - firewall.enable = false; }; nix = { diff --git a/hosts/freifunk/default.nix b/hosts/freifunk/default.nix index c4011f7b..7eafc79f 100644 --- a/hosts/freifunk/default.nix +++ b/hosts/freifunk/default.nix @@ -84,7 +84,6 @@ in { networking.hostName = "freifunk"; networking.useNetworkd = true; networking.nameservers = [ "172.20.73.8" "9.9.9.9" ]; - networking.firewall.enable = false; networking.nat = { enable = true; # This doesn't really work, hence the `extraCommands` diff --git a/hosts/gnunet/default.nix b/hosts/gnunet/default.nix index f3c224b6..c03779ff 100644 --- a/hosts/gnunet/default.nix +++ b/hosts/gnunet/default.nix @@ -8,10 +8,7 @@ mem = 1024; }; - networking = { - hostName = "gnunet"; - firewall.enable = false; - }; + networking.hostName = "gnunet"; services.gnunet = { enable = true; diff --git a/hosts/hydra/default.nix b/hosts/hydra/default.nix index e7fb288a..c6ac6cc4 100644 --- a/hosts/hydra/default.nix +++ b/hosts/hydra/default.nix @@ -145,7 +145,6 @@ in networking = { hostId = "3f0c4ec4"; hostName = "hydra"; - firewall.enable = false; nameservers = [ "172.20.73.8" "9.9.9.9" ]; # nat = { # enable = true; diff --git a/hosts/jabber/default.nix b/hosts/jabber/default.nix index d72fe6fc..8dea259e 100644 --- a/hosts/jabber/default.nix +++ b/hosts/jabber/default.nix @@ -15,24 +15,25 @@ in networking = { hostName = "jabber"; - firewall.allowedTCPPorts = [ - # Prosody - 5222 - 5223 - 5269 - 80 - 5280 - 443 - 5281 - # Coturn - 3478 - 3479 - ]; - firewall.allowedUDPPorts = [ - # Coturn - 3478 - 3479 - ]; + firewall = { + allowedTCPPorts = [ + # Prosody + 5222 + 5223 + 5269 + 80 + 5280 + 443 + 5281 + # Coturn + 3478 + 3479 + ]; + allowedUDPPorts = [ + # Coturn + 3478 + 3479 + ]; # TODO: allowedSCTPPorts }; diff --git a/hosts/nfsroot/default.nix b/hosts/nfsroot/default.nix index e6499c90..9888c7f7 100644 --- a/hosts/nfsroot/default.nix +++ b/hosts/nfsroot/default.nix @@ -32,11 +32,7 @@ in { "/${export}".options = [ "relatime" "discard" ]; }) {} nfsExports; - networking = { - hostName = "nfsroot"; - - firewall.enable = false; - }; + networking.hostName = "nfsroot"; system.stateVersion = "22.05"; } diff --git a/hosts/nfsroot/tftp.nix b/hosts/nfsroot/tftp.nix index 9feb9c93..af274b10 100644 --- a/hosts/nfsroot/tftp.nix +++ b/hosts/nfsroot/tftp.nix @@ -1,8 +1,6 @@ { tftproots, pkgs, ... }: { - networking.firewall.enable = false; - # raspberrypi boot services.atftpd = { enable = true; diff --git a/hosts/nncp/default.nix b/hosts/nncp/default.nix index c6a594e3..74981220 100644 --- a/hosts/nncp/default.nix +++ b/hosts/nncp/default.nix @@ -20,10 +20,7 @@ system.stateVersion = "22.05"; - networking = { - hostName = "nncp"; - firewall.enable = false; - }; + networking.hostName = "nncp"; programs.nncp = { enable = true; diff --git a/hosts/radiobert/default.nix b/hosts/radiobert/default.nix index ee14458d..8b0195de 100644 --- a/hosts/radiobert/default.nix +++ b/hosts/radiobert/default.nix @@ -98,7 +98,6 @@ prefixLength = zentralwerk.lib.config.site.net.serv.subnet4Len; }]; defaultGateway = "172.20.73.1"; - firewall.enable = false; nameservers = [ "172.20.73.8" "9.9.9.9" ]; }; diff --git a/hosts/rpi-netboot/default.nix b/hosts/rpi-netboot/default.nix index 61be3abc..a99d748d 100644 --- a/hosts/rpi-netboot/default.nix +++ b/hosts/rpi-netboot/default.nix @@ -27,7 +27,6 @@ hostName = "rpi-netboot"; useDHCP = false; interfaces.eth0.useDHCP = true; - firewall.enable = false; }; fileSystems = { diff --git a/hosts/server10/default.nix b/hosts/server10/default.nix index 5b2305bb..05bd4763 100644 --- a/hosts/server10/default.nix +++ b/hosts/server10/default.nix @@ -28,10 +28,6 @@ }; networking = { - firewall = { - enable = true; - allowedTCPPorts = [ 22 ]; - }; hostName = "server10"; # TODO: change that to something more random hostId = "10101010"; diff --git a/hosts/spaceapi/default.nix b/hosts/spaceapi/default.nix index 59fbd505..3b4c2e7d 100644 --- a/hosts/spaceapi/default.nix +++ b/hosts/spaceapi/default.nix @@ -3,15 +3,9 @@ _: { c3d2.deployment.server = "server10"; - networking = { - firewall.enable = false; - hostName = "spaceapi"; - }; + networking.hostName = "spaceapi"; services.spaceapi.enable = true; - # HACK for ‘ekg-json-0.1.0.6’ nixos-22.05 - # nixpkgs.config.allowBroken = true; - system.stateVersion = "19.03"; }