tmnp: save current state

This commit is contained in:
silver 2023-01-15 15:10:40 +00:00
parent c819214902
commit 53aff5987f
4 changed files with 50 additions and 9 deletions

View file

@ -1,17 +1,25 @@
{lib, config, ...}:{ {lib, pkgs, config, ...}: {
# using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base # using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base
options = { options = {
firewall_forward = lib.mkOption { skynet_firewall = {
default = [ ]; enable = lib.mkEnableOption {
type = lib.types.listOf lib.types.str; default = false;
description = '' example = true;
A list of routes to forward description = "Skynet Firewall";
''; type = lib.types.bool;
};
forward = lib.mkOption {
default = [ ];
type = lib.types.listOf lib.types.str;
description = ''
A list of routes to forward
'';
};
}; };
}; };
config = { config = lib.mkIf config.skynet_firewall.enable {
# disable default firewall to enable nftables # disable default firewall to enable nftables
networking.firewall.enable = false; networking.firewall.enable = false;
networking.nftables.enable = true; networking.nftables.enable = true;
@ -61,7 +69,7 @@
# ip saddr 193.1.99.123 tcp dport 443 counter packets 0 bytes 0 accept # ip saddr 193.1.99.123 tcp dport 443 counter packets 0 bytes 0 accept
# can basically make each machiene responsibile for their own forwarding (in config at least) # can basically make each machiene responsibile for their own forwarding (in config at least)
${lib.strings.concatMapStrings (x: x + "\n") config.firewall_forward} ${lib.strings.concatMapStrings (x: x + "\n") config.skynet_firewall.forward}
counter packets 0 bytes 0 reject with icmp type admin-prohibited counter packets 0 bytes 0 reject with icmp type admin-prohibited
} }

View file

@ -32,6 +32,20 @@
hostname = "test01.home.brendan.ie"; hostname = "test01.home.brendan.ie";
sshUser = "root"; sshUser = "root";
} }
{
# each machiene must have a name
name = "test02";
# core info about it
system = "x86_64-linux";
modules = [
./machines/test02.nix
];
# for the deployment
hostname = "test02.home.brendan.ie";
sshUser = "root";
}
]; ];
# the best part, nix is functional, so lets have some functions # the best part, nix is functional, so lets have some functions

View file

@ -9,4 +9,7 @@
../applications/firewall.nix ../applications/firewall.nix
]; ];
# this server is teh firewall
skynet_firewall.enable = true;
} }

16
machines/test02.nix Normal file
View file

@ -0,0 +1,16 @@
{ pkgs, ... }:
{
imports = [
# base settings for alls ervers
./base.nix
# applications for this particular server
../applications/firewall.nix
];
skynet_firewall.forward = [
"ip saddr 193.1.99.123 tcp dport 443 counter packets 0 bytes 0 accept"
];
}