diff --git a/applications/firewall.nix b/applications/firewall.nix index 33249e4..45a2bde 100644 --- a/applications/firewall.nix +++ b/applications/firewall.nix @@ -1,17 +1,25 @@ -{lib, config, ...}:{ +{lib, pkgs, config, ...}: { # using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base options = { - firewall_forward = lib.mkOption { - default = [ ]; - type = lib.types.listOf lib.types.str; - description = '' - A list of routes to forward - ''; + skynet_firewall = { + enable = lib.mkEnableOption { + default = false; + example = true; + description = "Skynet Firewall"; + type = lib.types.bool; + }; + forward = lib.mkOption { + default = [ ]; + type = lib.types.listOf lib.types.str; + description = '' + A list of routes to forward + ''; + }; }; }; - config = { + config = lib.mkIf config.skynet_firewall.enable { # disable default firewall to enable nftables networking.firewall.enable = false; networking.nftables.enable = true; @@ -61,7 +69,7 @@ # ip saddr 193.1.99.123 tcp dport 443 counter packets 0 bytes 0 accept # can basically make each machiene responsibile for their own forwarding (in config at least) - ${lib.strings.concatMapStrings (x: x + "\n") config.firewall_forward} + ${lib.strings.concatMapStrings (x: x + "\n") config.skynet_firewall.forward} counter packets 0 bytes 0 reject with icmp type admin-prohibited } diff --git a/flake.nix b/flake.nix index 8ad3dc9..f0e1aea 100644 --- a/flake.nix +++ b/flake.nix @@ -32,6 +32,20 @@ hostname = "test01.home.brendan.ie"; sshUser = "root"; } + { + # each machiene must have a name + name = "test02"; + + # core info about it + system = "x86_64-linux"; + modules = [ + ./machines/test02.nix + ]; + + # for the deployment + hostname = "test02.home.brendan.ie"; + sshUser = "root"; + } ]; # the best part, nix is functional, so lets have some functions diff --git a/machines/test01.nix b/machines/test01.nix index 07aeaae..276d9ea 100644 --- a/machines/test01.nix +++ b/machines/test01.nix @@ -9,4 +9,7 @@ ../applications/firewall.nix ]; + # this server is teh firewall + skynet_firewall.enable = true; + } diff --git a/machines/test02.nix b/machines/test02.nix new file mode 100644 index 0000000..543d779 --- /dev/null +++ b/machines/test02.nix @@ -0,0 +1,16 @@ +{ pkgs, ... }: + +{ + imports = [ + # base settings for alls ervers + ./base.nix + + # applications for this particular server + ../applications/firewall.nix + ]; + + skynet_firewall.forward = [ + "ip saddr 193.1.99.123 tcp dport 443 counter packets 0 bytes 0 accept" + ]; + +}