feat: automatically generate allowedTCPPorts for mdns enabled

interfaces; simplify nftables rules by adding a general untrusted zone
2025-10-11 07:10:39 +02:00 · 2023-05-27 01:59:28 +02:00 · 2023-05-27 01:59:28 +02:00 · 41df399bb6
commit 41df399bb6
parent e37601b486
14 changed files with 231 additions and 168 deletions
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@ -65,10 +65,6 @@ in {

    #automatic1111 = defineVm 19;
    #invokeai = defineVm 19;
-
-    #kanidm = defineVm 12 // {
-    #  configPath = ./vm-test.nix;
-    #};
  };

  microvm.vms.test.config = {
@ -95,61 +91,22 @@ in {
      mode = "440";
      group = "acme";
    };
+
    security.acme = {
      acceptTerms = true;
      defaults = {
        inherit (acme) email;
-        dnsProvider = "cloudflare";
        credentialsFile = config.rekey.secrets.acme-credentials.path;
+        dnsProvider = "cloudflare";
        dnsPropagationCheck = true;
+        reloadServices = ["nginx"];
      };
-      certs = lib.genAttrs acme.domains (domain: {
-        extraDomainNames = ["*.${domain}"];
-      });
    };
+    extra.acme.wildcardDomains = acme.domains;
    users.groups.acme.members = ["nginx"];
+    services.nginx.enable = true;

-    # TODO reload nginx when acme is renewed
-
-    # TODO make default nginx config in core to reduce boilerplate?
-    services.nginx = let
-      # TODO not implemented well
-      # TODO not implemented well
-      # TODO not implemented well
-      # TODO not implemented well
-      # TODO not implemented well
-      # TODO not implemented well
-      # TODO not implemented well
-      # TODO not implemented well
-      # TODO (acme.domains is very specific)
-      # TODO (security.acme causes recursion)
-      matchingWildcardCert = domain: let
-        # Filter all certs that are wildcard certs and which match the given domain
-        matchingCerts =
-          lib.filter
-          (x: !lib.hasInfix "." (lib.removeSuffix ".${x}" domain))
-          acme.domains;
-      in
-        assert lib.assertMsg (matchingCerts != []) "No wildcard certificate was defined that matches ${domain}";
-          lib.head matchingCerts;
-    in {
-      enable = true;
-
-      recommendedBrotliSettings = true;
-      recommendedGzipSettings = true;
-      recommendedOptimisation = true;
-      recommendedProxySettings = true;
-      recommendedTlsSettings = true;
-
-      # SSL config
-      sslCiphers = "EECDH+AESGCM:EDH+AESGCM:!aNULL";
-      sslDhparam = config.rekey.secrets."dhparams.pem".path;
-      commonHttpConfig = ''
-        error_log syslog:server=unix:/dev/log;
-        access_log syslog:server=unix:/dev/log;
-        ssl_ecdh_curve secp384r1;
-      '';
-
+    services.nginx = {
      upstreams."kanidm" = {
        servers."${config.extra.wireguard."${parentNodeName}-local-vms".ipv4}:8300" = {};
        extraConfig = ''
@ -159,7 +116,7 @@ in {
      };
      virtualHosts.${auth.domain} = {
        forceSSL = true;
-        useACMEHost = matchingWildcardCert auth.domain;
+        useACMEHost = config.lib.matchingWildcardCert auth.domain;
        locations."/".proxyPass = "https://kanidm";
        # Allow using self-signed certs to satisfy kanidm's requirement
        # for TLS connections. (This is over wireguard anyway)
@ -169,10 +126,18 @@ in {
      };
    };

-    networking.firewall.allowedTCPPorts = [80 443];
+    networking.nftables.firewall = {
+      zones = lib.mkForce {
+        local-vms.interfaces = ["local-vms"];
+      };

-    networking.nftables.firewall.rules = lib.mkForce {
-      local-vms-to-local.allowedTCPPorts = [8300];
+      rules = lib.mkForce {
+        local-vms-to-local = {
+          from = ["local-vms"];
+          to = ["local"];
+          allowedTCPPorts = [8300];
+        };
+      };
    };

    rekey.secrets."kanidm-self-signed.crt" = {
--- a/hosts/ward/net.nix
+++ b/hosts/ward/net.nix
@ -89,9 +89,8 @@ in {
  # TODO mkForce nftables
  networking.nftables.firewall = {
    zones = lib.mkForce {
+      untrusted.interfaces = ["wan"];
      lan.interfaces = ["lan-self"];
-      wan.interfaces = ["wan"];
-      local-vms.interfaces = ["local-vms"];
    };

    rules = lib.mkForce {
@ -100,34 +99,24 @@ in {
        extraLines = ["ip6 nexthdr icmpv6 icmpv6 type { mld-listener-query, nd-router-solicit } accept"];
      };

-      masquerade-wan = {
+      masquerade = {
        from = ["lan"];
-        to = ["wan"];
+        to = ["untrusted"];
        masquerade = true;
      };

+      # Rule needed to allow local-vms wireguard traffic
+      lan-to-local = {
+        from = ["lan"];
+        to = ["local"];
+      };
+
      outbound = {
        from = ["lan"];
-        to = ["lan" "wan"];
+        to = ["lan" "untrusted"];
        late = true; # Only accept after any rejects have been processed
        verdict = "accept";
      };
-
-      wan-to-local = {
-        from = ["wan"];
-        to = ["local"];
-      };
-
-      lan-to-local = {
-        from = ["lan"];
-        to = ["local"];
-
-        inherit
-          (config.networking.firewall)
-          allowedTCPPorts
-          allowedUDPPorts
-          ;
-      };
    };
  };