Syncthing: Rework firewall.

2024-12-08 22:25:43 +03:00 · 2024-12-08 22:25:43 +03:00 · 1c331d9bc4
parent 52bfc64933
commit 1c331d9bc4
10 changed files with 93 additions and 21 deletions
--- a/config/Syncthing.nix
+++ b/config/Syncthing.nix
@ -2,14 +2,29 @@
 	config,
 	lib,
 	pkgs,
+	util,
 	...
 }: let
 	cfg = config.module.syncthing;
 in {
 	config = lib.mkIf cfg.enable {
+		# CLI tools.
 		environment.systemPackages = with pkgs; [ syncthing ];
+
+		# Access at sync.lan.
+		networking.hosts = { "127.0.0.1" = [ "sync.local" ]; };
+		services.nginx.enable = true;
+		services.nginx.virtualHosts."sync.local".extraConfig = util.trimTabs ''
+			location / {
+				allow 127.0.0.1;
+				deny all;
+				proxy_pass http://127.0.0.1:8384;
+			}
+		'';
+
 		services.syncthing = {
-			inherit (cfg) enable dataDir user group openDefaultPorts;
+			inherit (cfg) enable dataDir user group;
+			openDefaultPorts = false;
 			systemService = true;
 			settings = lib.recursiveUpdate cfg.settings {
 				devices = {
--- a/host/x86_64-linux/dasha/Network.nix
+++ b/host/x86_64-linux/dasha/Network.nix
@ -0,0 +1,9 @@
+{ ... }: {
+	networking = {
+		firewall.extraCommands = ''
+			# Ssh access.
+			iptables  -I INPUT -j ACCEPT -s 10.0.0.0/8          -p tcp --dport 22143
+			ip6tables -I INPUT -j ACCEPT -s fd09:8d46:0b26::/48 -p tcp --dport 22143
+		'';
+	};
+}
--- a/host/x86_64-linux/desktop/Network.nix
+++ b/host/x86_64-linux/desktop/Network.nix
@ -0,0 +1,14 @@
+{ ... }: {
+	networking = {
+		firewall.extraCommands = ''
+			# Ssh access.
+			iptables  -I INPUT -j ACCEPT -s 10.0.0.0/8          -p tcp --dport 22143
+			ip6tables -I INPUT -j ACCEPT -s fd09:8d46:0b26::/48 -p tcp --dport 22143
+
+			# Syncthing.
+			ip6tables -I INPUT -j ACCEPT -s fd09:8d46:0b26::/48 -p tcp --dport 22000
+			ip6tables -I INPUT -j ACCEPT -s fd09:8d46:0b26::/48 -p udp --dport 22000
+			ip6tables -I INPUT -j ACCEPT -s fd09:8d46:0b26::/48 -p udp --dport 21027
+		'';
+	};
+}
--- a/host/x86_64-linux/home/Network.nix
+++ b/host/x86_64-linux/home/Network.nix
@ -13,9 +13,6 @@
 	lan = "br0";    # Lan interface.
 	wan = "enp8s0"; # Wan interface.
 in {
-	# Disable SSH access from everywhere, configure access bellow.
-	services.openssh.openFirewall = false;
-
 	# Disable systemd-resolved for DNS server.
 	services.resolved.enable = false;

@ -155,21 +152,12 @@ in {
 		networkmanager.enable = lib.mkForce false;
 		firewall = {
 			enable = true;
-			allowPing = true;
-			rejectPackets = false; # Drop.
-
-			logRefusedConnections  = false;
-			logReversePathDrops    = false;
-			logRefusedPackets      = false;
-			logRefusedUnicastsOnly = true;
-
 			extraCommands = util.trimTabs ''
 				# Wan access for 10.0.0.0/8 subnet.
 				iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -d 0/0 -o ${wan} -j MASQUERADE

 				# Full access from Lan.
-				iptables  -I INPUT -j ACCEPT -i ${lan}
-				ip6tables -I INPUT -j ACCEPT -i ${lan}
+				ip46tables -I INPUT -j ACCEPT -i ${lan}

 				# Public email server.
 				ip46tables -I INPUT -j ACCEPT -i ${wan} -p tcp --dport 25
@ -194,6 +182,11 @@ in {
 				ip46tables -I INPUT -j ACCEPT -i ${wan} -p tcp --dport 22666
 				ip46tables -I INPUT -j ACCEPT -i ${wan} -p udp --dport 22666

+				# Syncthing.
+				ip6tables -I INPUT -j ACCEPT -i ${lan} -p tcp --dport 22000
+				ip6tables -I INPUT -j ACCEPT -i ${lan} -p udp --dport 22000
+				ip6tables -I INPUT -j ACCEPT -i ${lan} -p udp --dport 21027
+
 				# Public SSH access.
 				# ip46tables -I INPUT -j ACCEPT -i ${wan} -p tcp --dport 22143
 			'';
--- a/host/x86_64-linux/home/default.nix
+++ b/host/x86_64-linux/home/default.nix
@ -16,7 +16,6 @@
 		syncthing = {
 			enable  = true;
 			dataDir = "/storage/hot/sync";
-			openDefaultPorts = false;
 			user  = "root";
 			group = "root";
 		};
--- a/host/x86_64-linux/laptop/Network.nix
+++ b/host/x86_64-linux/laptop/Network.nix
@ -0,0 +1,9 @@
+{ ... }: {
+	networking = {
+		firewall.extraCommands = ''
+			# Ssh access.
+			iptables  -I INPUT -j ACCEPT -s 10.0.0.0/8          -p tcp --dport 22143
+			ip6tables -I INPUT -j ACCEPT -s fd09:8d46:0b26::/48 -p tcp --dport 22143
+		'';
+	};
+}
--- a/host/x86_64-linux/pocket/Network.nix
+++ b/host/x86_64-linux/pocket/Network.nix
@ -0,0 +1,9 @@
+{ ... }: {
+	networking = {
+		firewall.extraCommands = ''
+			# Ssh access.
+			iptables  -I INPUT -j ACCEPT -s 10.0.0.0/8          -p tcp --dport 22143
+			ip6tables -I INPUT -j ACCEPT -s fd09:8d46:0b26::/48 -p tcp --dport 22143
+		'';
+	};
+}
--- a/host/x86_64-linux/work/Network.nix
+++ b/host/x86_64-linux/work/Network.nix
@ -0,0 +1,9 @@
+{ ... }: {
+	networking = {
+		firewall.extraCommands = ''
+			# Ssh access.
+			iptables  -I INPUT -j ACCEPT -s 10.0.0.0/8          -p tcp --dport 22143
+			ip6tables -I INPUT -j ACCEPT -s fd09:8d46:0b26::/48 -p tcp --dport 22143
+		'';
+	};
+}
--- a/option/Syncthing.nix
+++ b/option/Syncthing.nix
@ -24,9 +24,5 @@ in {
 			default = "users";
 			type    = lib.types.str;
 		};
-		openDefaultPorts = lib.mkOption {
-			default = true;
-			type    = lib.types.bool;
-		};
 	};
 }
--- a/system/Firewall.nix
+++ b/system/Firewall.nix
@ -1,3 +1,22 @@
-{ ... }: {
-	networking.firewall.enable = true;
+{
+	lib,
+	...
+}: {
+	networking.firewall = {
+		enable = true;
+
+		# NOTE: Configure manually with `extraCommands`.
+		allowedTCPPortRanges = lib.mkForce [ ];
+		allowedTCPPorts      = lib.mkForce [ ];
+		allowedUDPPortRanges = lib.mkForce [ ];
+		allowedUDPPorts      = lib.mkForce [ ];
+
+		allowPing     = true;
+		rejectPackets = false; # Drop.
+
+		logRefusedConnections  = false;
+		logRefusedPackets      = false;
+		logRefusedUnicastsOnly = true;
+		logReversePathDrops    = false;
+	};
 }