summaryrefslogtreecommitdiffstats
path: root/modules/tv/iptables
diff options
context:
space:
mode:
Diffstat (limited to 'modules/tv/iptables')
-rw-r--r--modules/tv/iptables/config.nix93
-rw-r--r--modules/tv/iptables/default.nix11
-rw-r--r--modules/tv/iptables/options.nix29
3 files changed, 0 insertions, 133 deletions
diff --git a/modules/tv/iptables/config.nix b/modules/tv/iptables/config.nix
deleted file mode 100644
index a525cfa5d..000000000
--- a/modules/tv/iptables/config.nix
+++ /dev/null
@@ -1,93 +0,0 @@
-{ cfg, lib, pkgs, ... }:
-
-let
- inherit (pkgs) writeScript writeText;
- inherit (lib) concatMapStringsSep;
-
- accept-new-tcp = port:
- "-p tcp -m tcp --dport ${port} -m conntrack --ctstate NEW -j ACCEPT";
-
- rules = iptables-version:
- writeText "tv-iptables-rules${toString iptables-version}" ''
- *nat
- :PREROUTING ACCEPT [0:0]
- :INPUT ACCEPT [0:0]
- :OUTPUT ACCEPT [0:0]
- :POSTROUTING ACCEPT [0:0]
- ${concatMapStringsSep "\n" (rule: "-A PREROUTING ${rule}") ([]
- ++ [
- "! -i retiolum -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 0"
- "-p tcp -m tcp --dport 11423 -j REDIRECT --to-ports 22"
- ]
- )}
- COMMIT
- *filter
- :INPUT DROP [0:0]
- :FORWARD DROP [0:0]
- :OUTPUT ACCEPT [0:0]
- :Retiolum - [0:0]
- ${concatMapStringsSep "\n" (rule: "-A INPUT ${rule}") ([]
- ++ [
- "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
- "-i lo -j ACCEPT"
- ]
- ++ map accept-new-tcp cfg.input-internet-accept-new-tcp
- ++ ["-i retiolum -j Retiolum"]
- )}
- ${concatMapStringsSep "\n" (rule: "-A Retiolum ${rule}") ([]
- ++ {
- ip4tables = [
- "-p icmp -m icmp --icmp-type echo-request -j ACCEPT"
- ];
- ip6tables = [
- "-p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT"
- ];
- }."ip${toString iptables-version}tables"
- ++ map accept-new-tcp cfg.input-retiolum-accept-new-tcp
- ++ {
- ip4tables = [
- "-p tcp -j REJECT --reject-with tcp-reset"
- "-p udp -j REJECT --reject-with icmp-port-unreachable"
- "-j REJECT --reject-with icmp-proto-unreachable"
- ];
- ip6tables = [
- "-p tcp -j REJECT --reject-with tcp-reset"
- "-p udp -j REJECT --reject-with icmp6-port-unreachable"
- "-j REJECT"
- ];
- }."ip${toString iptables-version}tables"
- )}
- COMMIT
- '';
-
- startScript = writeScript "tv-iptables_start" ''
- #! /bin/sh
- set -euf
- iptables-restore < ${rules 4}
- ip6tables-restore < ${rules 6}
- '';
-in
-
-{
- networking.firewall.enable = false;
-
- systemd.services.tv-iptables = {
- description = "tv-iptables";
- wantedBy = [ "network-pre.target" ];
- before = [ "network-pre.target" ];
- after = [ "systemd-modules-load.service" ];
-
- path = with pkgs; [
- iptables
- ];
-
- restartIfChanged = true;
-
- serviceConfig = {
- Type = "simple";
- RemainAfterExit = true;
- Restart = "always";
- ExecStart = "@${startScript} tv-iptables_start";
- };
- };
-}
diff --git a/modules/tv/iptables/default.nix b/modules/tv/iptables/default.nix
deleted file mode 100644
index cf27a26ac..000000000
--- a/modules/tv/iptables/default.nix
+++ /dev/null
@@ -1,11 +0,0 @@
-arg@{ config, lib, pkgs, ... }:
-
-let
- cfg = config.tv.iptables;
- arg' = arg // { inherit cfg; };
-in
-
-{
- options.tv.iptables = import ./options.nix arg';
- config = lib.mkIf cfg.enable (import ./config.nix arg');
-}
diff --git a/modules/tv/iptables/options.nix b/modules/tv/iptables/options.nix
deleted file mode 100644
index 1adffebdb..000000000
--- a/modules/tv/iptables/options.nix
+++ /dev/null
@@ -1,29 +0,0 @@
-{ lib, ... }:
-
-let
- inherit (lib) mkOption types;
-in
-
-{
- enable = mkOption {
- type = types.bool;
- default = false;
- description = "Enable iptables.";
- };
-
- input-internet-accept-new-tcp = mkOption {
- type = with types; listOf str;
- default = [];
- description = ''
- TCP ports, accepting incoming connections from anywhere.
- '';
- };
-
- input-retiolum-accept-new-tcp = mkOption {
- type = with types; listOf str;
- default = [];
- description = ''
- TCP ports, accepting incoming connections from Retiolum.
- '';
- };
-}