comparing 5d1eaf8a94ccba4e4c807dde6eb199928e86c8f3 and main on ptr.pet/nixos-cloud-resources

+2

.gitignore

+14

README.md

···

       1
       1
       +
       these are set of nixos modules for more convenient deployment of cloud resources for various providers. only implemented module is for firewalls right now, supporting hetzner.

     

       2
       2
       +
       

     

       3
       3
       +
       ## usage

     

       4
       4
       +
       

     

       5
       5
       +
       if using flakes, put `nixosModules.<resource>` and `nixosModules.<resource>-<provider>`

     

       6
       6
       +
       in your NixOS configuration. for example, `nixosModules.firewall` and

     

       7
       7
       +
       `nixosModules.firewall-hetzner`. see `nix flake show` for all available modules.

     

       8
       8
       +
       

     

       9
       9
       +
       if not using flakes, you can import `<resource>/` and `<resource>/<provider>`.

     

       10
       10
       +
       

     

       11
       11
       +
       then, you can either use each module's individual `mkApp` config option to

     

       12
       12
       +
       generate an app and run it, or you can call `makeApps`:

     

       13
       13
       +
       - for flakes use the flake output `makeApps` and `makeApps {inherit pkgs self;}`. you can assign the output of this to your `outputs.apps` as it generates flake apps.

     

       14
       14
       +
       - for non-flake use `import ./makeApps.nix {inherit pkgs nixosSystem;}`, this will return an attribute set with a `run` key which is the generated app.

+9

firewall/hetzner/app.nix

···

       1
       1
       +
       {pkgs, lib ? pkgs.lib, taggedPorts, id}: let

     

       2
       2
       +
         l = lib // (import ./rules.nix {inherit lib;});

     

       3
       3
       +
         firewallRules =

     

       4
       4
       +
           builtins.toFile

     

       5
       5
       +
           "hetzner-firewall-${toString id}-rules.json"

     

       6
       6
       +
           (builtins.toJSON (l.mkFirewallRuleset taggedPorts));

     

       7
       7
       +
       in pkgs.writers.writeNu "apply-hetzner-firewall-${toString id}" ''

     

       8
       8
       +
         nu ${./app.nu} ${toString id} ${firewallRules}

     

       9
       9
       +
       ''

+40

firewall/hetzner/app.nu

···

       1
       1
       +
       use std/log

     

       2
       2
       +
       

     

       3
       3
       +
       def main [firewallId: number, rulesFile: path, --auth-token (-t): string] {

     

       4
       4
       +
           let auth_token: string = if $auth_token == null { $env.HETZNER_API_TOKEN? } else { $auth_token }

     

       5
       5
       +
           let authHeader: list<string> = ["authorization" $"Bearer ($auth_token)"]

     

       6
       6
       +
       

     

       7
       7
       +
           def makeApiUrl [path: string] {

     

       8
       8
       +
               return $"https://api.hetzner.cloud/v1($path)"

     

       9
       9
       +
           }

     

       10
       10
       +
           def post [path: string] {

     

       11
       11
       +
               $in | http post -e --full -H $authHeader --content-type application/json (makeApiUrl $path)

     

       12
       12
       +
           }

     

       13
       13
       +
           def get [path: string] {

     

       14
       14
       +
               http get -e --full -H $authHeader (makeApiUrl $path)

     

       15
       15
       +
           }

     

       16
       16
       +
       

     

       17
       17
       +
           # first fetch firewall to see if it even exists

     

       18
       18
       +
           let resp = get $"/firewalls/($firewallId)"

     

       19
       19
       +
           if $resp.status == 404 {

     

       20
       20
       +
               log error $"provided firewall \(id ($firewallId)\) does not exist"

     

       21
       21
       +
               exit 1

     

       22
       22
       +
           } else if $resp.status != 200 {

     

       23
       23
       +
               log error $"could not get firewall \(id ($firewallId)\):\n($resp.body.error | to text -n)"

     

       24
       24
       +
               exit 1

     

       25
       25
       +
           }

     

       26
       26
       +
           let firewall = $resp.body | get firewall

     

       27
       27
       +
       

     

       28
       28
       +
           # backup firewall

     

       29
       29
       +
           let backupPath = $".hetzner/($firewallId).json"

     

       30
       30
       +
           mkdir .hetzner; $firewall | to json | save -f $backupPath

     

       31
       31
       +
           log info $"backing up firewall ($firewallId) to ($backupPath)"

     

       32
       32
       +
       

     

       33
       33
       +
           # apply rules

     

       34
       34
       +
           let resp = open $rulesFile | post $"/firewalls/($firewallId)/actions/set_rules"

     

       35
       35
       +
           if $resp.status != 201 {

     

       36
       36
       +
               log error $"could not apply firewall \(id ($firewallId)\):\n($resp.body.error | to text -n)"

     

       37
       37
       +
               exit 2

     

       38
       38
       +
           }

     

       39
       39
       +
           log info $"applied firewall ($firewallId)"

     

       40
       40
       +
       }

+32

firewall/hetzner/default.nix

···

       1
       1
       +
       {lib, config, ...}: let

     

       2
       2
       +
         l = lib;

     

       3
       3
       +
         t = l.types;

     

       4
       4
       +
         taggedPorts = config.networking.firewall.public;

     

       5
       5
       +
         cfg = config.providers.hetzner.firewall;

     

       6
       6
       +
       in {

     

       7
       7
       +
         options = {

     

       8
       8
       +
           providers.hetzner.firewall = {

     

       9
       9
       +
             enable = l.mkEnableOption "hetzner firewall";

     

       10
       10
       +
             id = l.mkOption {

     

       11
       11
       +
               type = t.ints.unsigned;

     

       12
       12
       +
               description = "The ID of the firewall to update.";

     

       13
       13
       +
             };

     

       14
       14
       +
             mkApp = l.mkOption {

     

       15
       15
       +
               type = t.functionTo t.package;

     

       16
       16
       +
               readOnly = true;

     

       17
       17
       +
               description = ''

     

       18
       18
       +
                 Function that generates a script for this provider, pass it an instance of nixpkgs and run to apply the configuration.

     

       19
       19
       +
       

     

       20
       20
       +
                 For this app to work, you need to set the `HETZNER_API_TOKEN` environment variable to a valid API token from Hetzner.

     

       21
       21
       +
               '';

     

       22
       22
       +
             };

     

       23
       23
       +
           };

     

       24
       24
       +
         };

     

       25
       25
       +
       

     

       26
       26
       +
         config = l.mkIf cfg.enable {

     

       27
       27
       +
           providers.hetzner.firewall.mkApp = pkgs: import ./app.nix {

     

       28
       28
       +
             inherit pkgs lib taggedPorts;

     

       29
       29
       +
             inherit (cfg) id;

     

       30
       30
       +
           };

     

       31
       31
       +
         };

     

       32
       32
       +
       }

+29

firewall/hetzner/rules.nix

···

       1
       1
       +
       {lib}: let

     

       2
       2
       +
         l = lib;

     

       3
       3
       +
         mkRule = proto: tag: port: {

     

       4
       4
       +
           description = tag;

     

       5
       5
       +
           direction = "in";

     

       6
       6
       +
           protocol = proto;

     

       7
       7
       +
           port =

     

       8
       8
       +
             if l.isAttrs port

     

       9
       9
       +
             then l.concatMapStringsSep "-" toString [port.from port.to]

     

       10
       10
       +
             else toString port;

     

       11
       11
       +
           source_ips = ["0.0.0.0/0" "::/0"];

     

       12
       12
       +
         };

     

       13
       13
       +
       in rec {

     

       14
       14
       +
         mkTcpRule = mkRule "tcp";

     

       15
       15
       +
         mkUdpRule = mkRule "udp";

     

       16
       16
       +
         # taggedPorts: attrset of {allowedTCPPorts, allowedTCPPortRanges, ...}

     

       17
       17
       +
         mkFirewallRuleset = taggedPorts: {

     

       18
       18
       +
           rules = l.flatten (

     

       19
       19
       +
             l.mapAttrsToList

     

       20
       20
       +
             (tag: ports: [

     

       21
       21
       +
               (l.map (mkTcpRule tag) (ports.allowedTCPPorts or []))

     

       22
       22
       +
               (l.map (mkTcpRule tag) (ports.allowedTCPPortRanges or []))

     

       23
       23
       +
               (l.map (mkUdpRule tag) (ports.allowedUDPPorts or []))

     

       24
       24
       +
               (l.map (mkUdpRule tag) (ports.allowedUDPPortRanges or []))

     

       25
       25
       +
             ])

     

       26
       26
       +
             taggedPorts

     

       27
       27
       +
           );

     

       28
       28
       +
         };

     

       29
       29
       +
       }

-37

firewall/provider/hetzner/app.nu

···

       1
       1
       -
       use std/log

     

       2
       2
       -
       

     

       3
       3
       -
       let authHeader = ["authorization" $"Bearer ($env.HETZNER_API_TOKEN)"]

     

       4
       4
       -
       

     

       5
       5
       -
       def makeApiUrl [path: string] {

     

       6
       6
       -
         return $"https://api.hetzner.cloud/v1($path)"

     

       7
       7
       -
       }

     

       8
       8
       -
       def post [path: string] {

     

       9
       9
       -
         let resp = $in | http post -e --full -H authHeader --content-type application/json (makeApiUrl path)

     

       10
       10
       -
         $resp.body = $resp.body | from json

     

       11
       11
       -
         $resp

     

       12
       12
       -
       }

     

       13
       13
       -
       def get [path: string] {

     

       14
       14
       -
         let resp = http get -e --full -H authHeader (makeApiUrl path)

     

       15
       15
       -
         $resp.body = $resp.body | from json

     

       16
       16
       -
         $resp

     

       17
       17
       -
       }

     

       18
       18
       -
       

     

       19
       19
       -
       # first fetch firewall to see if it even exists

     

       20
       20
       -
       let resp = get $"/firewalls/($firewallId)"

     

       21
       21
       -
       if $resp.status == 404 {

     

       22
       22
       -
         log error $"provided firewall \(id ($firewallId)\) does not exist"

     

       23
       23
       -
         exit 1

     

       24
       24
       -
       }

     

       25
       25
       -
       let firewall = $resp.body | get firewall

     

       26
       26
       -
       

     

       27
       27
       -
       # backup firewall

     

       28
       28
       -
       let backupPath = $".hetzner/($firewallId).json"

     

       29
       29
       -
       mkdir .hetzner; $firewall | to json | save $backupPath

     

       30
       30
       -
       log info $"backing up firewall ($firewallId) to ($backupPath)"

     

       31
       31
       -
       

     

       32
       32
       -
       # apply rules

     

       33
       33
       -
       let resp = open $rulesFile | from json | post $"/firewalls/($firewallId)/actions/set_rules"

     

       34
       34
       -
       if $resp.status != 201 {

     

       35
       35
       -
         log error $"could not apply firewall \(id ($firewallId)\)"

     

       36
       36
       -
       }

     

       37
       37
       -
       log info $"applied firewall ($firewallId)"

-56

firewall/provider/hetzner/default.nix

···

       1
       1
       -
       {pkgs, lib, config, options, ...}: let

     

       2
       2
       -
         l = lib;

     

       3
       3
       -
         t = l.types;

     

       4
       4
       -
         taggedPorts = config.networking.firewall.public;

     

       5
       5
       -
         cfg = config.providers.hetzner;

     

       6
       6
       -
       in {

     

       7
       7
       -
         options = {

     

       8
       8
       -
           providers.hetzner.firewall = {

     

       9
       9
       -
             id = l.mkOption {

     

       10
       10
       -
               type = t.ints.unsigned;

     

       11
       11
       -
               description = "The ID of the firewall to update.";

     

       12
       12
       -
             };

     

       13
       13
       -
             app = l.mkOption {

     

       14
       14
       -
               type = t.package;

     

       15
       15
       -
               readOnly = true;

     

       16
       16
       -
               description = ''

     

       17
       17
       -
                 The generated app for this provider, run it to apply the configuration.

     

       18
       18
       -
       

     

       19
       19
       -
                 For this to work, you need to set the `HETZNER_API_TOKEN` environment variable to a valid API token from Hetzner.

     

       20
       20
       -
               '';

     

       21
       21
       -
             };

     

       22
       22
       -
           };

     

       23
       23
       -
         };

     

       24
       24
       -
       

     

       25
       25
       -
         config = let

     

       26
       26
       -
           mkRule = proto: tag: port: {

     

       27
       27
       -
             description = tag;

     

       28
       28
       -
             direction = "in";

     

       29
       29
       -
             protocol = proto;

     

       30
       30
       -
             port =

     

       31
       31
       -
               if l.isAttrs port

     

       32
       32
       -
               then l.concatMapStringsSep "-" toString [port.from port.to]

     

       33
       33
       -
               else toString port;

     

       34
       34
       -
           };

     

       35
       35
       -
           mkTcpRule = mkRule "tcp";

     

       36
       36
       -
           mkUdpRule = mkRule "udp";

     

       37
       37
       -
           firewallRules = pkgs.writers.writeJSON "hetzner-firewall-${toString cfg.id}-rules.json" {

     

       38
       38
       -
             rules = l.flatten (

     

       39
       39
       -
               l.mapAttrsToList

     

       40
       40
       -
               (tag: ports: [

     

       41
       41
       -
                 (l.map (mkTcpRule tag) ports.allowedTCPPorts)

     

       42
       42
       -
                 (l.map (mkTcpRule tag) ports.allowedTCPPortRanges)

     

       43
       43
       -
                 (l.map (mkUdpRule tag) ports.allowedUDPPorts)

     

       44
       44
       -
                 (l.map (mkUdpRule tag) ports.allowedUDPPortRanges)

     

       45
       45
       -
               ])

     

       46
       46
       -
               taggedPorts

     

       47
       47
       -
             );

     

       48
       48
       -
           };

     

       49
       49
       -
         in {

     

       50
       50
       -
           providers.hetzner.firewall.app = pkgs.writers.writeNu "apply-hetzner" ''

     

       51
       51
       -
             let firewallId = ${toString cfg.id}

     

       52
       52
       -
             let rulesFile = ${firewallRules}

     

       53
       53
       -
             ${l.fileContents ./app.nu}

     

       54
       54
       -
           '';

     

       55
       55
       -
         };

     

       56
       56
       -
       }

+37 -3

flake.nix

···

       3
       3
        
       

     

       4
       4
        
         inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";

     

       5
       5
        
       

     

       6
       6
       -
         outputs = inp: {

     

       6
       6
       +
         outputs = inp: let

     

       7
       7
       +
           l = inp.nixpkgs.lib;

     

       8
       8
       +
           pkgsInstances =

     

       9
       9
       +
             l.genAttrs

     

       10
       10
       +
             ["x86_64-linux"]

     

       11
       11
       +
             (s: inp.nixpkgs.legacyPackages.${s});

     

       12
       12
       +
         in {

     

       7
       13
        
           nixosModules = {

     

       8
       8
       -
             firewall = ./firewall/default.nix;

     

       9
       9
       -
             firewall-hetzner = ./firewall/provider/hetzner/default.nix;

     

       14
       14
       +
             firewall = ./firewall;

     

       15
       15
       +
             firewall-hetzner = ./firewall/hetzner;

     

       10
       16
        
           };

     

       17
       17
       +
           checks =

     

       18
       18
       +
             l.mapAttrs

     

       19
       19
       +
             (_: pkgs: let

     

       20
       20
       +
               testSystem = l.nixosSystem {

     

       21
       21
       +
                 system = pkgs.system;

     

       22
       22
       +
                 modules = l.attrValues inp.self.nixosModules;

     

       23
       23
       +
               };

     

       24
       24
       +
             in {

     

       25
       25
       +
               firewall-hetzner-app = import ./firewall/hetzner/app.nix {

     

       26
       26
       +
                 inherit pkgs;

     

       27
       27
       +
                 taggedPorts = {

     

       28
       28
       +
                   http.allowedTCPPorts = [80 443];

     

       29
       29
       +
                   ssh.allowedTCPPorts = [22];

     

       30
       30
       +
                   "bla bla" = {

     

       31
       31
       +
                     allowedUDPPortRanges = [{from = 1332; to = 8891;}];

     

       32
       32
       +
                     allowedTCPPorts = [101];

     

       33
       33
       +
                     allowedUDPPorts = [102];

     

       34
       34
       +
                   };

     

       35
       35
       +
                 };

     

       36
       36
       +
                 id = 1;

     

       37
       37
       +
               };

     

       38
       38
       +
               test-system-app =

     

       39
       39
       +
                 (inp.self.makeApps {

     

       40
       40
       +
                   inherit pkgs; nixosSystem = testSystem;

     

       41
       41
       +
                 }).run;

     

       42
       42
       +
             })

     

       43
       43
       +
             pkgsInstances;

     

       44
       44
       +
           makeApps = import ./makeApps.nix;

     

       11
       45
        
         };

     

       12
       46
        
       }

+57

makeApps.nix

···

       1
       1
       +
       {pkgs, lib ? pkgs.lib, self ? null, nixosSystem ? null}: let

     

       2
       2
       +
         l = lib;

     

       3
       3
       +
         mkProviderApp = provider:

     

       4
       4
       +
           l.concatStringsSep "\n" (l.flatten (

     

       5
       5
       +
             l.mapAttrsToList

     

       6
       6
       +
             (

     

       7
       7
       +
               name: module:

     

       8
       8
       +
               if module.enable

     

       9
       9
       +
               then ''

     

       10
       10
       +
                 log info "deploying ${name} resource(s)..."

     

       11
       11
       +
                 nu ${module.mkApp pkgs}

     

       12
       12
       +
               ''

     

       13
       13
       +
               else []

     

       14
       14
       +
             )

     

       15
       15
       +
             provider

     

       16
       16
       +
           ));

     

       17
       17
       +
         mkApp = {config, ...}: pkgs.writers.writeNu "deploy-resources" ''

     

       18
       18
       +
           use std/log

     

       19
       19
       +
           ${

     

       20
       20
       +
             l.concatStringsSep "\n\n"

     

       21
       21
       +
             (

     

       22
       22
       +
               l.mapAttrsToList

     

       23
       23
       +
               (

     

       24
       24
       +
                 name: provider: ''

     

       25
       25
       +
                   log info "deploying resources for ${name}..."

     

       26
       26
       +
                   ${mkProviderApp provider}

     

       27
       27
       +
                 ''

     

       28
       28
       +
               )

     

       29
       29
       +
               config.providers

     

       30
       30
       +
             )

     

       31
       31
       +
           }

     

       32
       32
       +
         '';

     

       33
       33
       +
       in

     

       34
       34
       +
         if self != null

     

       35
       35
       +
         then

     

       36
       36
       +
           l.mergeAttrsList (

     

       37
       37
       +
             l.mapAttrsToList

     

       38
       38
       +
             (

     

       39
       39
       +
               hostname: host:

     

       40
       40
       +
               if l.hasAttr "providers" host.config

     

       41
       41
       +
               then {

     

       42
       42
       +
                 "deploy-${hostname}-resources" = {

     

       43
       43
       +
                   type = "app";

     

       44
       44
       +
                   program = toString (mkApp host);

     

       45
       45
       +
                 };

     

       46
       46
       +
               }

     

       47
       47
       +
               else {}

     

       48
       48
       +
             )

     

       49
       49
       +
             self.nixosConfigurations

     

       50
       50
       +
           )

     

       51
       51
       +
         else if nixosSystem != null

     

       52
       52
       +
         then

     

       53
       53
       +
           {

     

       54
       54
       +
             run = mkApp nixosSystem;

     

       55
       55
       +
           }

     

       56
       56
       +
         else

     

       57
       57
       +
           throw "nixos-cloud-resources: neither 'self' or 'nixosSystem' was provided, aborting"

Compare changes