nixos-module/firewall: add for mgmt-gw, priv13-gw
This commit is contained in:
parent
5aa53fbcb1
commit
1ee38b50b0
|
@ -58,6 +58,11 @@ in
|
||||||
|
|
||||||
config.site.hosts = lib.mkMerge (
|
config.site.hosts = lib.mkMerge (
|
||||||
[
|
[
|
||||||
|
{
|
||||||
|
mgmt-gw.firewall.enable = true;
|
||||||
|
priv13-gw.firewall.enable = true;
|
||||||
|
}
|
||||||
|
|
||||||
(builtins.foldl' (result: hostName: result // {
|
(builtins.foldl' (result: hostName: result // {
|
||||||
"${hostName}" = {
|
"${hostName}" = {
|
||||||
role = "server";
|
role = "server";
|
||||||
|
|
|
@ -173,6 +173,11 @@ let
|
||||||
config.site.net.core.hosts4 ? ${name};
|
config.site.net.core.hosts4 ? ${name};
|
||||||
description = "Should this host route?";
|
description = "Should this host route?";
|
||||||
};
|
};
|
||||||
|
firewall.enable = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description = "Enable firewall to disallow incoming connections from core";
|
||||||
|
};
|
||||||
forwardPorts = mkOption {
|
forwardPorts = mkOption {
|
||||||
type = with types; listOf (submodule { options = {
|
type = with types; listOf (submodule { options = {
|
||||||
proto = mkOption {
|
proto = mkOption {
|
||||||
|
|
|
@ -1,10 +1,9 @@
|
||||||
{ ... }:
|
{ ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
|
# (IPv4-only) NAT the mgmt net
|
||||||
networking.nat = {
|
networking.nat = {
|
||||||
enable = true;
|
enable = true;
|
||||||
externalInterface = "core";
|
externalInterface = "core";
|
||||||
};
|
};
|
||||||
|
|
||||||
# TODO: firewall
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -13,6 +13,7 @@ in {
|
||||||
../lib/config/options.nix
|
../lib/config/options.nix
|
||||||
./defaults.nix
|
./defaults.nix
|
||||||
./network.nix
|
./network.nix
|
||||||
|
./firewall.nix
|
||||||
./collectd
|
./collectd
|
||||||
] ++
|
] ++
|
||||||
optionals (hostConfig.role == "server") [
|
optionals (hostConfig.role == "server") [
|
||||||
|
|
|
@ -0,0 +1,14 @@
|
||||||
|
{ hostName, config, lib, ... }:
|
||||||
|
|
||||||
|
lib.mkIf config.site.hosts.${hostName}.firewall.enable {
|
||||||
|
networking.firewall = {
|
||||||
|
enable = true;
|
||||||
|
extraCommands = ''
|
||||||
|
ip46tables -A FORWARD -i core -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||||
|
ip46tables -A FORWARD -i core -j REJECT --reject-with net-unreach
|
||||||
|
'';
|
||||||
|
extraStopCommands = ''
|
||||||
|
ip46tables -F FORWARD
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in New Issue