tmnp: save current state

2023-01-15 15:10:40 +00:00 · 2023-01-15 15:10:40 +00:00 · 53aff5987f
commit 53aff5987f
parent c819214902
4 changed files with 50 additions and 9 deletions
--- a/applications/firewall.nix
+++ b/applications/firewall.nix
@ -1,17 +1,25 @@
-{lib, config, ...}:{
+{lib, pkgs, config, ...}: {

  # using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base
  options = {
-    firewall_forward = lib.mkOption {
-      default = [ ];
-      type = lib.types.listOf lib.types.str;
-      description = ''
-        A list of routes to forward
-      '';
+    skynet_firewall = {
+      enable = lib.mkEnableOption {
+        default = false;
+        example = true;
+        description = "Skynet Firewall";
+        type = lib.types.bool;
+      };
+      forward = lib.mkOption {
+        default = [ ];
+        type = lib.types.listOf lib.types.str;
+        description = ''
+          A list of routes to forward
+        '';
+      };
    };
  };

-  config = {
+  config = lib.mkIf config.skynet_firewall.enable {
    # disable default firewall to enable nftables
    networking.firewall.enable = false;
    networking.nftables.enable = true;
@ -61,7 +69,7 @@
          # ip saddr 193.1.99.123 tcp dport 443 counter packets 0 bytes 0 accept

          # can basically make each machiene responsibile for their own forwarding (in config at least)
-          ${lib.strings.concatMapStrings (x: x + "\n") config.firewall_forward}
+          ${lib.strings.concatMapStrings (x: x + "\n") config.skynet_firewall.forward}

          counter packets 0 bytes 0 reject with icmp type admin-prohibited
        }
--- a/flake.nix
+++ b/flake.nix
@ -32,6 +32,20 @@
        hostname = "test01.home.brendan.ie";
        sshUser = "root";
      }
+      {
+        # each machiene must have a name
+        name = "test02";
+
+        # core info about it
+        system = "x86_64-linux";
+        modules = [
+          ./machines/test02.nix
+        ];
+
+        # for the deployment
+        hostname = "test02.home.brendan.ie";
+        sshUser = "root";
+      }
    ];

    # the best part, nix is functional, so lets have some functions
--- a/machines/test01.nix
+++ b/machines/test01.nix
@ -9,4 +9,7 @@
    ../applications/firewall.nix
  ];

+  # this server is teh firewall
+  skynet_firewall.enable = true;
+
 }
--- a/machines/test02.nix
+++ b/machines/test02.nix
@ -0,0 +1,16 @@
+{ pkgs, ... }:
+
+{
+  imports = [
+    # base settings for alls ervers
+    ./base.nix
+
+    # applications for this particular server
+    ../applications/firewall.nix
+  ];
+
+  skynet_firewall.forward = [
+    "ip saddr 193.1.99.123 tcp dport 443 counter packets 0 bytes 0 accept"
+  ];
+
+}