feat: automatically generate allowedTCPPorts for mdns enabled

interfaces; simplify nftables rules by adding a general untrusted zone
2025-10-11 07:10:39 +02:00 · 2023-05-27 01:59:28 +02:00 · 2023-05-27 01:59:28 +02:00 · 41df399bb6
commit 41df399bb6
parent e37601b486
14 changed files with 231 additions and 168 deletions
--- a/modules/extra.nix
+++ b/modules/extra.nix
@ -0,0 +1,71 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit
+    (lib)
+    assertMsg
+    filter
+    hasInfix
+    head
+    mdDoc
+    mkIf
+    mkOption
+    optionals
+    removeSuffix
+    types
+    ;
+in {
+  options.extra.acme.wildcardDomains = mkOption {
+    default = [];
+    example = ["example.org"];
+    type = types.listOf types.str;
+    description = mdDoc ''
+      All domains for which a wildcard certificate will be generated.
+      This will define the given `security.acme.certs` and set `extraDomainNames` correctly,
+      but does not fill any options such as credentials or dnsProvider. These have to be set
+      individually for each cert by the user or via `security.acme.defaults`.
+    '';
+  };
+
+  config = {
+    lib = {
+      # For a given domain, this searches for a matching wildcard acme domain that
+      # would include the given domain. If no such domain is defined in
+      # extra.acme.wildcardDomains, an assertion is triggered.
+      matchingWildcardCert = domain: let
+        matchingCerts =
+          filter
+          (x: !hasInfix "." (removeSuffix ".${x}" domain))
+          config.extra.acme.wildcardDomains;
+      in
+        assert assertMsg (matchingCerts != []) "No wildcard certificate was defined that matches ${domain}";
+          head matchingCerts;
+    };
+
+    security.acme.certs = lib.genAttrs config.extra.acme.wildcardDomains (domain: {
+      extraDomainNames = ["*.${domain}"];
+    });
+
+    # Sensible defaults for nginx
+    services.nginx = mkIf config.services.nginx.enable {
+      recommendedBrotliSettings = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+
+      # SSL config
+      sslCiphers = "EECDH+AESGCM:EDH+AESGCM:!aNULL";
+      sslDhparam = config.rekey.secrets."dhparams.pem".path;
+      commonHttpConfig = ''
+        error_log syslog:server=unix:/dev/log;
+        access_log syslog:server=unix:/dev/log;
+        ssl_ecdh_curve secp384r1;
+      '';
+    };
+
+    networking.firewall.allowedTCPPorts = optionals config.services.nginx.enable [80 443];
+  };
+}
--- a/modules/microvms.nix
+++ b/modules/microvms.nix
@ -75,7 +75,10 @@
          mkIf vmCfg.zfs.enable {
            wantedBy = [fsMountUnit];
            before = [fsMountUnit];
-            after = ["zfs-import-${utils.escapeSystemdPath vmCfg.zfs.pool}.service"];
+            after = [
+              "zfs-import-${utils.escapeSystemdPath vmCfg.zfs.pool}.service"
+              "zfs-mount.target"
+            ];
            unitConfig.DefaultDependencies = "no";
            serviceConfig = {
              Type = "oneshot";
@ -181,30 +184,10 @@
        # TODO change once microvms are compatible with stage-1 systemd
        boot.initrd.systemd.enable = mkForce false;

-        # Create a firewall zone for the bridged traffic and secure vm traffic
        # TODO mkForce nftables
        networking.nftables.firewall = {
          zones = mkForce {
-            "${vmCfg.networking.mainLinkName}".interfaces = [vmCfg.networking.mainLinkName];
-            local-vms.interfaces = [config.extra.wireguard."${nodeName}-local-vms".linkName];
-          };
-
-          rules = mkForce {
-            "${vmCfg.networking.mainLinkName}-to-local" = {
-              from = [vmCfg.networking.mainLinkName];
-              to = ["local"];
-
-              inherit
-                (config.networking.firewall)
-                allowedTCPPorts
-                allowedUDPPorts
-                ;
-            };
-
-            local-vms-to-local = {
-              from = ["local-vms"];
-              to = ["local"];
-            };
+            untrusted.interfaces = [vmCfg.networking.mainLinkName];
          };
        };

@ -215,7 +198,7 @@
              then "${config.networking.hostName}.local"
              else config.networking.fqdn;
            inherit (cfg.networking.wireguard) port;
-            openFirewallRules = ["${vmCfg.networking.mainLinkName}-to-local"];
+            openFirewallRules = ["untrusted"];
          };
          linkName = "local-vms";
          ipv4 = net.cidr.host vmCfg.id cfg.networking.wireguard.cidrv4;
@ -402,21 +385,6 @@ in {
        ipv4 = net.cidr.host 1 cfg.networking.wireguard.cidrv4;
        ipv6 = net.cidr.host 1 cfg.networking.wireguard.cidrv6;
      };
-
-      # Create a firewall zone for the secure vm traffic
-      # TODO mkForce nftables
-      networking.nftables.firewall = {
-        zones = mkForce {
-          local-vms.interfaces = ["local-vms"];
-        };
-
-        rules = mkForce {
-          local-vms-to-local = {
-            from = ["local-vms"];
-            to = ["local"];
-          };
-        };
-      };
    }
    // extraLib.mergeToplevelConfigs ["disko" "microvm" "systemd"] (mapAttrsToList microvmConfig vms)
  );
--- a/modules/wireguard.nix
+++ b/modules/wireguard.nix
@ -21,6 +21,7 @@
    mapAttrsToList
    mdDoc
    mergeAttrs
+    mkForce
    mkIf
    mkOption
    optionalAttrs
@ -133,11 +134,12 @@
      (isServer && wgCfg.server.openFirewall)
      [wgCfg.server.port];

+    # Open the port in the given nftables rule if specified
    # TODO mkForce nftables
-    networking.nftables.firewall.rules =
-      mkIf
-      (isServer && wgCfg.server.openFirewallRules != [])
-      (lib.mkForce (genAttrs wgCfg.server.openFirewallRules (_: {allowedUDPPorts = [wgCfg.server.port];})));
+    networking.nftables.firewall.rules = mkForce (
+      optionalAttrs (isServer && wgCfg.server.openFirewallRules != [])
+      (genAttrs wgCfg.server.openFirewallRules (_: {allowedUDPPorts = [wgCfg.server.port];}))
+    );

    rekey.secrets =
      concatAttrs (map