summaryrefslogtreecommitdiffstats
path: root/tv/3modules
diff options
context:
space:
mode:
authorlassulus <lass@aidsballs.de>2016-02-16 17:15:00 +0100
committerlassulus <lass@aidsballs.de>2016-02-16 17:15:00 +0100
commit0b0b0d65ee05583529df831985580e392713d29a (patch)
tree7eb6799a996924d8e895c54633a47ea3d7a92a4c /tv/3modules
parent3d30e9cc9014ec6189410944015d3cd7d5ca95a6 (diff)
parentb7a92f63884af00eb0243ec9328be689a6c9b845 (diff)
Merge remote-tracking branch 'cd/master'
Diffstat (limited to 'tv/3modules')
-rw-r--r--tv/3modules/ejabberd.nix5
-rw-r--r--tv/3modules/iptables.nix63
2 files changed, 33 insertions, 35 deletions
diff --git a/tv/3modules/ejabberd.nix b/tv/3modules/ejabberd.nix
index 581e10074..c9d9b48b1 100644
--- a/tv/3modules/ejabberd.nix
+++ b/tv/3modules/ejabberd.nix
@@ -1,13 +1,12 @@
{ config, lib, pkgs, ... }:
-with builtins;
-with lib;
+with config.krebs.lib;
let
cfg = config.tv.ejabberd;
out = {
options.tv.ejabberd = api;
- config = mkIf cfg.enable imp;
+ config = lib.mkIf cfg.enable imp;
};
api = {
diff --git a/tv/3modules/iptables.nix b/tv/3modules/iptables.nix
index cbf49f577..c0fd7ec12 100644
--- a/tv/3modules/iptables.nix
+++ b/tv/3modules/iptables.nix
@@ -1,18 +1,22 @@
{ config, lib, pkgs, ... }:
-with builtins;
-with lib;
+with config.krebs.lib;
let
cfg = config.tv.iptables;
out = {
options.tv.iptables = api;
- config = mkIf cfg.enable imp;
+ config = lib.mkIf cfg.enable imp;
};
api = {
enable = mkEnableOption "tv.iptables";
+ accept-echo-request = mkOption {
+ type = with types; nullOr (enum ["internet" "retiolum"]);
+ default = "retiolum";
+ };
+
input-internet-accept-new-tcp = mkOption {
type = with types; listOf (either int str);
default = [];
@@ -43,28 +47,38 @@ let
Type = "simple";
RemainAfterExit = true;
Restart = "always";
- ExecStart = "@${startScript} tv-iptables_start";
+ SyslogIdentifier = "tv-iptables_start";
+ ExecStart = pkgs.writeDash "tv-iptables_start" ''
+ set -euf
+ iptables-restore < ${rules 4}
+ ip6tables-restore < ${rules 6}
+ '';
};
};
};
- accept-new-tcp = port:
- "-p tcp -m tcp --dport ${port} -m conntrack --ctstate NEW -j ACCEPT";
-
- rules = iptables-version:
+ rules = iptables-version: let
+ accept-echo-request = {
+ ip4tables = "-p icmp -m icmp --icmp-type echo-request -j ACCEPT";
+ ip6tables = "-p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT";
+ }."ip${toString iptables-version}tables";
+ accept-new-tcp = port:
+ "-p tcp -m tcp --dport ${port} -m conntrack --ctstate NEW -j ACCEPT";
+ in
pkgs.writeText "tv-iptables-rules${toString iptables-version}" ''
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
- ${concatMapStringsSep "\n" (rule: "-A PREROUTING ${rule}") ([]
- ++ [
- "! -i retiolum -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 0"
- "-p tcp -m tcp --dport 11423 -j REDIRECT --to-ports 22"
- ]
- )}
+ ${concatMapStringsSep "\n" (rule: "-A PREROUTING ${rule}") [
+ "! -i retiolum -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 0"
+ "-p tcp -m tcp --dport 11423 -j REDIRECT --to-ports 22"
+ ]}
+ ${concatMapStringsSep "\n" (rule: "-A OUTPUT ${rule}") [
+ "-o lo -p tcp -m tcp --dport 11423 -j REDIRECT --to-ports 22"
+ ]}
COMMIT
*filter
:INPUT DROP [0:0]
@@ -76,18 +90,12 @@ let
"-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
"-i lo -j ACCEPT"
]
+ ++ optional (cfg.accept-echo-request == "internet") accept-echo-request
++ map accept-new-tcp (unique (map toString cfg.input-internet-accept-new-tcp))
++ ["-i retiolum -j Retiolum"]
)}
${concatMapStringsSep "\n" (rule: "-A Retiolum ${rule}") ([]
- ++ {
- ip4tables = [
- "-p icmp -m icmp --icmp-type echo-request -j ACCEPT"
- ];
- ip6tables = [
- "-p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT"
- ];
- }."ip${toString iptables-version}tables"
+ ++ optional (cfg.accept-echo-request == "retiolum") accept-echo-request
++ map accept-new-tcp (unique (map toString cfg.input-retiolum-accept-new-tcp))
++ {
ip4tables = [
@@ -104,16 +112,7 @@ let
)}
COMMIT
'';
-
- startScript = pkgs.writeScript "tv-iptables_start" ''
- #! /bin/sh
- set -euf
- iptables-restore < ${rules 4}
- ip6tables-restore < ${rules 6}
- '';
-
-in
-out
+in out
#let
# cfg = config.tv.iptables;