diff options
| -rw-r--r-- | modules/authentik/default.nix | 2 | ||||
| -rw-r--r-- | modules/common/default.nix | 2 | ||||
| -rw-r--r-- | modules/common/networking.nix | 7 | ||||
| -rw-r--r-- | modules/default.nix | 2 | ||||
| -rw-r--r-- | modules/games/acc.nix | 3 | ||||
| -rw-r--r-- | modules/games/default.nix | 6 | ||||
| -rw-r--r-- | modules/games/palworld.nix | 1 | ||||
| -rw-r--r-- | modules/games/satisfactory.nix | 3 | ||||
| -rw-r--r-- | modules/powerdns/default.nix | 2 | ||||
| -rw-r--r-- | modules/quassel/default.nix | 1 | ||||
| -rw-r--r-- | modules/quassel/quassel.nix | 10 | ||||
| -rw-r--r-- | modules/teamspeak/default.nix | 1 |
12 files changed, 39 insertions, 1 deletions
diff --git a/modules/authentik/default.nix b/modules/authentik/default.nix index f8fa494..03e58f2 100644 --- a/modules/authentik/default.nix +++ b/modules/authentik/default.nix @@ -66,6 +66,8 @@ in # }; # }; + networking.firewall.allowedTCPPorts = [ 389 636 ]; + security.acme.certs = { "vapor.systems" = { extraDomainNames = [ "*.vapor.systems" ]; diff --git a/modules/common/default.nix b/modules/common/default.nix index 4a2bfd3..ed45914 100644 --- a/modules/common/default.nix +++ b/modules/common/default.nix @@ -20,10 +20,10 @@ nixpkgs.config.allowUnfree = true; # Security - networking.firewall.enable = false; security.sudo.wheelNeedsPassword = false; services.openssh = { enable = true; + openFirewall = true; settings = { PasswordAuthentication = false; PermitRootLogin = "no"; diff --git a/modules/common/networking.nix b/modules/common/networking.nix index 63c0d89..0a7b3f7 100644 --- a/modules/common/networking.nix +++ b/modules/common/networking.nix @@ -11,6 +11,13 @@ dhcpcd.extraConfig = '' nohook resolv.conf ''; + + firewall = { + enable = true; + trustedInterfaces = ["wg0"]; + allowedTCPPorts = [ 80 443 ]; + }; + nftables.enable = true; }; systemd.services = { diff --git a/modules/default.nix b/modules/default.nix index 751b9f1..3855e4b 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -31,4 +31,6 @@ catinator = import ./catinator; pastor = import ./pastor; + + monitoring = import ./monitoring; } diff --git a/modules/games/acc.nix b/modules/games/acc.nix index c9a50eb..26a9781 100644 --- a/modules/games/acc.nix +++ b/modules/games/acc.nix @@ -18,4 +18,7 @@ environment = { }; }; }; + + networking.firewall.allowedTCPPorts = [ 9232 ]; + networking.firewall.allowedUDPPorts = [ 9231 ]; } diff --git a/modules/games/default.nix b/modules/games/default.nix index bbbaba3..fee8e34 100644 --- a/modules/games/default.nix +++ b/modules/games/default.nix @@ -7,6 +7,7 @@ enable = true; package = pkgs.master.factorio-headless; + openFirewall = true; public = false; nonBlockingSaving = true; loadLatestSave = true; @@ -16,6 +17,7 @@ services.xonotic = { enable = true; + openFirewall = true; settings = { net_address = "178.63.224.10"; hostname = "cocaine.farm xonotic $g_xonoticversion"; @@ -27,6 +29,8 @@ package = pkgs.unstable.papermc; eula = true; + openFirewall = true; + declarative = true; whitelist = import ./minecraft_whitelist.nix; jvmOpts = "-Xmx6144M -Xms6144M"; @@ -67,4 +71,6 @@ ]; }; }; + + networking.firewall.allowedTCPPorts = [ 25566 ]; } diff --git a/modules/games/palworld.nix b/modules/games/palworld.nix index 844eb36..74974fa 100644 --- a/modules/games/palworld.nix +++ b/modules/games/palworld.nix @@ -1,6 +1,7 @@ { config, lib, ... }: { + networking.firewall.allowedUDPPorts = [ 8211 ]; virtualisation.oci-containers.containers = { palworld-server = { image = "docker.io/jammsen/palworld-dedicated-server:latest"; diff --git a/modules/games/satisfactory.nix b/modules/games/satisfactory.nix index 6864256..b47e575 100644 --- a/modules/games/satisfactory.nix +++ b/modules/games/satisfactory.nix @@ -6,6 +6,9 @@ }: { + networking.firewall.allowedTCPPorts = [ 7777 ]; + networking.firewall.allowedUDPPorts = [ 7777 ]; + virtualisation.oci-containers.containers = { satisfactory = { image = "docker.io/wolveix/satisfactory-server:latest"; diff --git a/modules/powerdns/default.nix b/modules/powerdns/default.nix index 1f411df..5a920ec 100644 --- a/modules/powerdns/default.nix +++ b/modules/powerdns/default.nix @@ -65,5 +65,7 @@ in else secondary; secretFile = "/etc/secrets/pdns_api.env"; }; + networking.firewall.allowedTCPPorts = [ 53 ]; + networking.firewall.allowedUDPPorts = [ 53 ]; }; } diff --git a/modules/quassel/default.nix b/modules/quassel/default.nix index 52880c8..ceeb3b0 100644 --- a/modules/quassel/default.nix +++ b/modules/quassel/default.nix @@ -19,6 +19,7 @@ in services.quassel = { enable = true; package = quassel; + openFirewall = true; extraGroups = [ "acme" ]; settings = { listen = [ "178.63.224.10" "2a01:4f8:231:56a::10" ]; diff --git a/modules/quassel/quassel.nix b/modules/quassel/quassel.nix index e8ef580..9a31c32 100644 --- a/modules/quassel/quassel.nix +++ b/modules/quassel/quassel.nix @@ -38,6 +38,14 @@ in Useful for e.g. access to acme certificates. ''; }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Open the firewall for the port defined in {option}`services.quassel.settings.port` + ''; + }; environmentFile = mkOption { type = types.nullOr types.path; @@ -430,6 +438,8 @@ in } ]; + networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [ cfg.settings.port cfg.settings.ident.port ]; + systemd.services.quassel = { description = "Quassel IRC client daemon"; diff --git a/modules/teamspeak/default.nix b/modules/teamspeak/default.nix index 1864679..2ab4092 100644 --- a/modules/teamspeak/default.nix +++ b/modules/teamspeak/default.nix @@ -6,6 +6,7 @@ ip = "178.63.224.12"; in { enable = true; + openFirewall = true; voiceIP = ip; queryIP = ip; fileTransferIP = ip; |