commit 4ef813c94ac4aec6433e5a352aa065454ee02948 · ptr.pet/nixos-cloud-resources

+12

firewall/provider/hetzner/app.nix

···

       1
       +
       {pkgs, lib ? pkgs.lib, taggedPorts, id}: let

     

       2
       +
         l = lib // (import ./rules.nix {inherit lib;});

     

       3
       +
       

     

       4
       +
         firewallRules =

     

       5
       +
           builtins.toFile

     

       6
       +
           "hetzner-firewall-${toString id}-rules.json"

     

       7
       +
           (builtins.toJSON (l.mkFirewallRuleset taggedPorts));

     

       8
       +
       in pkgs.writers.writeNu "apply-hetzner" ''

     

       9
       +
         let firewallId = ${toString id}

     

       10
       +
         let rulesFile = "${firewallRules}"

     

       11
       +
         ${l.fileContents ./app.nu}

     

       12
       +
       ''

+9 -35

firewall/provider/hetzner/default.nix

···

       1
       -
       {pkgs, lib, config, options, ...}: let

     

       2
        
         l = lib;

     

       3
        
         t = l.types;

     

       4
        
         taggedPorts = config.networking.firewall.public;

     
···

       10
        
               type = t.ints.unsigned;

     

       11
        
               description = "The ID of the firewall to update.";

     

       12
        
             };

     

       13
       -
             app = l.mkOption {

     

       14
       -
               type = t.package;

     

       15
        
               readOnly = true;

     

       16
        
               description = ''

     

       17
       -
                 The generated app for this provider, run it to apply the configuration.

     

       18
        
       

     

       19
       -
                 For this to work, you need to set the `HETZNER_API_TOKEN` environment variable to a valid API token from Hetzner.

     

       20
        
               '';

     

       21
        
             };

     

       22
        
           };

     

       23
        
         };

     

       24
        
       

     

       25
       -
         config = let

     

       26
       -
           mkRule = proto: tag: port: {

     

       27
       -
             description = tag;

     

       28
       -
             direction = "in";

     

       29
       -
             protocol = proto;

     

       30
       -
             port =

     

       31
       -
               if l.isAttrs port

     

       32
       -
               then l.concatMapStringsSep "-" toString [port.from port.to]

     

       33
       -
               else toString port;

     

       34
       -
             source_ips = ["0.0.0.0/0" "::/0"];

     

       35
       -
           };

     

       36
       -
           mkTcpRule = mkRule "tcp";

     

       37
       -
           mkUdpRule = mkRule "udp";

     

       38
       -
           firewallRules = pkgs.writers.writeJSON "hetzner-firewall-${toString cfg.id}-rules.json" {

     

       39
       -
             rules = l.flatten (

     

       40
       -
               l.mapAttrsToList

     

       41
       -
               (tag: ports: [

     

       42
       -
                 (l.map (mkTcpRule tag) ports.allowedTCPPorts)

     

       43
       -
                 (l.map (mkTcpRule tag) ports.allowedTCPPortRanges)

     

       44
       -
                 (l.map (mkUdpRule tag) ports.allowedUDPPorts)

     

       45
       -
                 (l.map (mkUdpRule tag) ports.allowedUDPPortRanges)

     

       46
       -
               ])

     

       47
       -
               taggedPorts

     

       48
       -
             );

     

       49
        
           };

     

       50
       -
         in {

     

       51
       -
           providers.hetzner.firewall.app = pkgs.writers.writeNu "apply-hetzner" ''

     

       52
       -
             let firewallId = ${toString cfg.id}

     

       53
       -
             let rulesFile = "${firewallRules}"

     

       54
       -
             ${l.fileContents ./app.nu}

     

       55
       -
           '';

     

       56
        
         };

     

       57
        
       }

···

       1
       +
       {lib, config, ...}: let

     

       2
        
         l = lib;

     

       3
        
         t = l.types;

     

       4
        
         taggedPorts = config.networking.firewall.public;

     
···

       10
        
               type = t.ints.unsigned;

     

       11
        
               description = "The ID of the firewall to update.";

     

       12
        
             };

     

       13
       +
             mkApp = l.mkOption {

     

       14
       +
               type = t.functionTo t.package;

     

       15
        
               readOnly = true;

     

       16
        
               description = ''

     

       17
       +
                 Function that generates a script for this provider, pass it an instance of nixpkgs and run to apply the configuration.

     

       18
        
       

     

       19
       +
                 For this app to work, you need to set the `HETZNER_API_TOKEN` environment variable to a valid API token from Hetzner.

     

       20
        
               '';

     

       21
        
             };

     

       22
        
           };

     

       23
        
         };

     

       24
        
       

     

       25
       +
         config = {

     

       26
       +
           providers.hetzner.firewall.mkApp = pkgs: import ./app.nix {

     

       27
       +
             inherit pkgs lib taggedPorts;

     

       28
       +
             inherit (cfg) id;

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       29
        
           };

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       30
        
         };

     

       31
        
       }

+29

firewall/provider/hetzner/rules.nix

···

       1
       +
       {lib}: let

     

       2
       +
         l = lib;

     

       3
       +
         mkRule = proto: tag: port: {

     

       4
       +
           description = tag;

     

       5
       +
           direction = "in";

     

       6
       +
           protocol = proto;

     

       7
       +
           port =

     

       8
       +
             if l.isAttrs port

     

       9
       +
             then l.concatMapStringsSep "-" toString [port.from port.to]

     

       10
       +
             else toString port;

     

       11
       +
           source_ips = ["0.0.0.0/0" "::/0"];

     

       12
       +
         };

     

       13
       +
       in rec {

     

       14
       +
         mkTcpRule = mkRule "tcp";

     

       15
       +
         mkUdpRule = mkRule "udp";

     

       16
       +
         # taggedPorts: attrset of {allowedTCPPorts, allowedTCPPortRanges, ...}

     

       17
       +
         mkFirewallRuleset = taggedPorts: {

     

       18
       +
           rules = l.flatten (

     

       19
       +
             l.mapAttrsToList

     

       20
       +
             (tag: ports: [

     

       21
       +
               (l.map (mkTcpRule tag) (ports.allowedTCPPorts or []))

     

       22
       +
               (l.map (mkTcpRule tag) (ports.allowedTCPPortRanges or []))

     

       23
       +
               (l.map (mkUdpRule tag) (ports.allowedUDPPorts or []))

     

       24
       +
               (l.map (mkUdpRule tag) (ports.allowedUDPPortRanges or []))

     

       25
       +
             ])

     

       26
       +
             taggedPorts

     

       27
       +
           );

     

       28
       +
         };

     

       29
       +
       }

+27 -3

flake.nix

···

       3
        
       

     

       4
        
         inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";

     

       5
        
       

     

       6
       -
         outputs = inp: {

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       7
        
           nixosModules = {

     

       8
       -
             firewall = ./firewall/default.nix;

     

       9
       -
             firewall-hetzner = ./firewall/provider/hetzner/default.nix;

     

       10
        
           };

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       11
        
         };

     

       12
        
       }

···

       3
        
       

     

       4
        
         inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";

     

       5
        
       

     

       6
       +
         outputs = inp: let

     

       7
       +
           l = inp.nixpkgs.lib;

     

       8
       +
           pkgsInstances =

     

       9
       +
             l.genAttrs

     

       10
       +
             ["x86_64-linux"]

     

       11
       +
             (s: inp.nixpkgs.legacyPackages.${s});

     

       12
       +
         in {

     

       13
        
           nixosModules = {

     

       14
       +
             firewall = ./firewall;

     

       15
       +
             firewall-hetzner = ./firewall/provider/hetzner;

     

       16
        
           };

     

       17
       +
           checks =

     

       18
       +
             l.mapAttrs

     

       19
       +
             (_: pkgs: {

     

       20
       +
               firewall-hetzner-app = import ./firewall/provider/hetzner/app.nix {

     

       21
       +
                 inherit pkgs;

     

       22
       +
                 taggedPorts = {

     

       23
       +
                   http.allowedTCPPorts = [80 443];

     

       24
       +
                   ssh.allowedTCPPorts = [22];

     

       25
       +
                   "bla bla" = {

     

       26
       +
                     allowedUDPPortRanges = [{from = 1332; to = 8891;}];

     

       27
       +
                     allowedTCPPorts = [101];

     

       28
       +
                     allowedUDPPorts = [102];

     

       29
       +
                   };

     

       30
       +
                 };

     

       31
       +
                 id = 1;

     

       32
       +
               };

     

       33
       +
             })

     

       34
       +
             pkgsInstances;

     

       35
        
         };

     

       36
        
       }