Syncthing: Rework firewall.

2024-12-08 22:25:43 +03:00 · 2024-12-08 22:25:43 +03:00 · 1c331d9bc4
parent 52bfc64933
commit 1c331d9bc4
10 changed files with 93 additions and 21 deletions
--- a/config/Syncthing.nix
+++ b/config/Syncthing.nix
@ -2,14 +2,29 @@
 	config,
 	lib,
 	pkgs,
 	util,
 	...
 }: let
 	cfg = config.module.syncthing;
 in {
 	config = lib.mkIf cfg.enable {
 		# CLI tools.
 		environment.systemPackages = with pkgs; [ syncthing ];
 		# Access at sync.lan.
 		networking.hosts = { "127.0.0.1" = [ "sync.local" ]; };
 		services.nginx.enable = true;
 		services.nginx.virtualHosts."sync.local".extraConfig = util.trimTabs ''
 			location / {
 				allow 127.0.0.1;
 				deny all;
 				proxy_pass http://127.0.0.1:8384;
 			}
 		'';
 		services.syncthing = {
-			inherit (cfg) enable dataDir user group openDefaultPorts;
+			inherit (cfg) enable dataDir user group;
 			openDefaultPorts = false;
 			systemService = true;
 			settings = lib.recursiveUpdate cfg.settings {
 				devices = {
--- a/host/x86_64-linux/dasha/Network.nix
+++ b/host/x86_64-linux/dasha/Network.nix
@ -0,0 +1,9 @@
 { ... }: {
 	networking = {
 		firewall.extraCommands = ''
 			# Ssh access.
 			iptables  -I INPUT -j ACCEPT -s 10.0.0.0/8          -p tcp --dport 22143
 			ip6tables -I INPUT -j ACCEPT -s fd09:8d46:0b26::/48 -p tcp --dport 22143
 		'';
 	};
 }
--- a/host/x86_64-linux/desktop/Network.nix
+++ b/host/x86_64-linux/desktop/Network.nix
@ -0,0 +1,14 @@
 { ... }: {
 	networking = {
 		firewall.extraCommands = ''
 			# Ssh access.
 			iptables  -I INPUT -j ACCEPT -s 10.0.0.0/8          -p tcp --dport 22143
 			ip6tables -I INPUT -j ACCEPT -s fd09:8d46:0b26::/48 -p tcp --dport 22143
 			# Syncthing.
 			ip6tables -I INPUT -j ACCEPT -s fd09:8d46:0b26::/48 -p tcp --dport 22000
 			ip6tables -I INPUT -j ACCEPT -s fd09:8d46:0b26::/48 -p udp --dport 22000
 			ip6tables -I INPUT -j ACCEPT -s fd09:8d46:0b26::/48 -p udp --dport 21027
 		'';
 	};
 }
--- a/host/x86_64-linux/home/Network.nix
+++ b/host/x86_64-linux/home/Network.nix
@ -13,9 +13,6 @@
 	lan = "br0";    # Lan interface.
 	wan = "enp8s0"; # Wan interface.
 in {
 	# Disable SSH access from everywhere, configure access bellow.
 	services.openssh.openFirewall = false;
 	# Disable systemd-resolved for DNS server.
 	services.resolved.enable = false;
@ -155,21 +152,12 @@ in {
 		networkmanager.enable = lib.mkForce false;
 		firewall = {
 			enable = true;
 			allowPing = true;
 			rejectPackets = false; # Drop.
 			logRefusedConnections  = false;
 			logReversePathDrops    = false;
 			logRefusedPackets      = false;
 			logRefusedUnicastsOnly = true;
 			extraCommands = util.trimTabs ''
 				# Wan access for 10.0.0.0/8 subnet.
 				iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -d 0/0 -o ${wan} -j MASQUERADE
 				# Full access from Lan.
-				iptables  -I INPUT -j ACCEPT -i ${lan}
+				ip46tables -I INPUT -j ACCEPT -i ${lan}
 				ip6tables -I INPUT -j ACCEPT -i ${lan}
 				# Public email server.
 				ip46tables -I INPUT -j ACCEPT -i ${wan} -p tcp --dport 25
@ -194,6 +182,11 @@ in {
 				ip46tables -I INPUT -j ACCEPT -i ${wan} -p tcp --dport 22666
 				ip46tables -I INPUT -j ACCEPT -i ${wan} -p udp --dport 22666
 				# Syncthing.
 				ip6tables -I INPUT -j ACCEPT -i ${lan} -p tcp --dport 22000
 				ip6tables -I INPUT -j ACCEPT -i ${lan} -p udp --dport 22000
 				ip6tables -I INPUT -j ACCEPT -i ${lan} -p udp --dport 21027
 				# Public SSH access.
 				# ip46tables -I INPUT -j ACCEPT -i ${wan} -p tcp --dport 22143
 			'';
--- a/host/x86_64-linux/home/default.nix
+++ b/host/x86_64-linux/home/default.nix
@ -16,7 +16,6 @@
 		syncthing = {
 			enable  = true;
 			dataDir = "/storage/hot/sync";
 			openDefaultPorts = false;
 			user  = "root";
 			group = "root";
 		};
--- a/host/x86_64-linux/laptop/Network.nix
+++ b/host/x86_64-linux/laptop/Network.nix
@ -0,0 +1,9 @@
 { ... }: {
 	networking = {
 		firewall.extraCommands = ''
 			# Ssh access.
 			iptables  -I INPUT -j ACCEPT -s 10.0.0.0/8          -p tcp --dport 22143
 			ip6tables -I INPUT -j ACCEPT -s fd09:8d46:0b26::/48 -p tcp --dport 22143
 		'';
 	};
 }
--- a/host/x86_64-linux/pocket/Network.nix
+++ b/host/x86_64-linux/pocket/Network.nix
@ -0,0 +1,9 @@
 { ... }: {
 	networking = {
 		firewall.extraCommands = ''
 			# Ssh access.
 			iptables  -I INPUT -j ACCEPT -s 10.0.0.0/8          -p tcp --dport 22143
 			ip6tables -I INPUT -j ACCEPT -s fd09:8d46:0b26::/48 -p tcp --dport 22143
 		'';
 	};
 }
--- a/host/x86_64-linux/work/Network.nix
+++ b/host/x86_64-linux/work/Network.nix
@ -0,0 +1,9 @@
 { ... }: {
 	networking = {
 		firewall.extraCommands = ''
 			# Ssh access.
 			iptables  -I INPUT -j ACCEPT -s 10.0.0.0/8          -p tcp --dport 22143
 			ip6tables -I INPUT -j ACCEPT -s fd09:8d46:0b26::/48 -p tcp --dport 22143
 		'';
 	};
 }
--- a/option/Syncthing.nix
+++ b/option/Syncthing.nix
@ -24,9 +24,5 @@ in {
 			default = "users";
 			type    = lib.types.str;
 		};
 		openDefaultPorts = lib.mkOption {
 			default = true;
 			type    = lib.types.bool;
 		};
 	};
 }
--- a/system/Firewall.nix
+++ b/system/Firewall.nix
@ -1,3 +1,22 @@
-{ ... }: {
+{
-	networking.firewall.enable = true;
+	lib,
 	...
 }: {
 	networking.firewall = {
 		enable = true;
 		# NOTE: Configure manually with `extraCommands`.
 		allowedTCPPortRanges = lib.mkForce [ ];
 		allowedTCPPorts      = lib.mkForce [ ];
 		allowedUDPPortRanges = lib.mkForce [ ];
 		allowedUDPPorts      = lib.mkForce [ ];
 		allowPing     = true;
 		rejectPackets = false; # Drop.
 		logRefusedConnections  = false;
 		logRefusedPackets      = false;
 		logRefusedUnicastsOnly = true;
 		logReversePathDrops    = false;
 	};
 }