WIP exports: draft endpoints for services along with a 'firwewall' consumer
This commit is contained in:
Johannes Kirschbauer
34
clanServices/firewall/default.nix
Normal file
34
clanServices/firewall/default.nix
Normal file
@@ -0,0 +1,34 @@
|
|||||||
|
{ clanLib, inventory, ... }:
|
||||||
|
{
|
||||||
|
manifest.name = "clan-core/firewall";
|
||||||
|
manifest.description = "Configures firewall rules based on exported endpoints from other services";
|
||||||
|
|
||||||
|
roles.default.description = "Configures firewall rules based on exported endpoints from other services";
|
||||||
|
|
||||||
|
perMachine =
|
||||||
|
# firewall instances
|
||||||
|
{
|
||||||
|
exports,
|
||||||
|
machine,
|
||||||
|
lib,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
let
|
||||||
|
instances = clanLib.resolveInstances machine inventory;
|
||||||
|
|
||||||
|
instancesTcpPorts = builtins.concatLists (
|
||||||
|
map (
|
||||||
|
instanceName:
|
||||||
|
lib.mapAttrsToList (_endpointName: cfg: cfg.port) exports.instances.${instanceName}.endpoints
|
||||||
|
) instances
|
||||||
|
);
|
||||||
|
machineTcpPorts = lib.mapAttrsToList (
|
||||||
|
_endpointName: cfg: cfg.port
|
||||||
|
) exports.instances.${machine.name}.endpoints;
|
||||||
|
|
||||||
|
allowedPorts = instancesTcpPorts ++ machineTcpPorts;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
nixosModule.networking.firewall.allowedTCPPorts = allowedPorts;
|
||||||
|
};
|
||||||
|
}
|
||||||
@@ -45,6 +45,12 @@
|
|||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
{
|
{
|
||||||
|
exports.endpoints.greeting = {
|
||||||
|
port = 80;
|
||||||
|
};
|
||||||
|
exports.endpoints.uptime = {
|
||||||
|
port = 80;
|
||||||
|
};
|
||||||
# Analog to 'perSystem' of flake-parts.
|
# Analog to 'perSystem' of flake-parts.
|
||||||
# For every instance of this service we will add a nixosModule to a morning-machine
|
# For every instance of this service we will add a nixosModule to a morning-machine
|
||||||
nixosModule =
|
nixosModule =
|
||||||
@@ -89,6 +95,9 @@
|
|||||||
perMachine =
|
perMachine =
|
||||||
{ machine, ... }:
|
{ machine, ... }:
|
||||||
{
|
{
|
||||||
|
exports.endpoints.core-online = {
|
||||||
|
port = 8080;
|
||||||
|
};
|
||||||
nixosModule =
|
nixosModule =
|
||||||
{ pkgs, ... }:
|
{ pkgs, ... }:
|
||||||
{
|
{
|
||||||
|
|||||||
@@ -53,6 +53,18 @@ in
|
|||||||
---
|
---
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
# TODO: Pinpox
|
||||||
|
checks.conflictingPorts =
|
||||||
|
let
|
||||||
|
conflicts = [ ];
|
||||||
|
in
|
||||||
|
{
|
||||||
|
assertion = builtins.length conflicts == 0;
|
||||||
|
message = ''
|
||||||
|
The following endpoints have conflicting port assignments:
|
||||||
|
---
|
||||||
|
'';
|
||||||
|
};
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|||||||
@@ -120,6 +120,30 @@ in
|
|||||||
visible = false;
|
visible = false;
|
||||||
type = types.deferredModule;
|
type = types.deferredModule;
|
||||||
default = {
|
default = {
|
||||||
|
options.endpoints = lib.mkOption {
|
||||||
|
type = types.attrsWith {
|
||||||
|
placeholder = "endpointName";
|
||||||
|
elemType = (
|
||||||
|
types.submodule {
|
||||||
|
options = {
|
||||||
|
port = lib.mkOption {
|
||||||
|
type = types.int;
|
||||||
|
description = "The port the service is running on";
|
||||||
|
};
|
||||||
|
protocol = lib.mkOption {
|
||||||
|
type = types.enum [
|
||||||
|
"tcp"
|
||||||
|
"udp"
|
||||||
|
];
|
||||||
|
default = "tcp";
|
||||||
|
description = "The protocol used to access the service";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
);
|
||||||
|
};
|
||||||
|
default = { };
|
||||||
|
};
|
||||||
options.networking = lib.mkOption {
|
options.networking = lib.mkOption {
|
||||||
default = null;
|
default = null;
|
||||||
type = lib.types.nullOr (
|
type = lib.types.nullOr (
|
||||||
|
|||||||
Reference in New Issue
Block a user