WIP exports: draft endpoints for services along with a 'firwewall' consumer

2025-10-21 16:25:21 +02:00
parent 0d088cac7e
commit 63aceeeb4e
4 changed files with 79 additions and 0 deletions
--- a/clanServices/firewall/default.nix
+++ b/clanServices/firewall/default.nix
@@ -0,0 +1,34 @@
+{ clanLib, inventory, ... }:
+{
+  manifest.name = "clan-core/firewall";
+  manifest.description = "Configures firewall rules based on exported endpoints from other services";
+
+  roles.default.description = "Configures firewall rules based on exported endpoints from other services";
+
+  perMachine =
+    # firewall instances
+    {
+      exports,
+      machine,
+      lib,
+      ...
+    }:
+    let
+      instances = clanLib.resolveInstances machine inventory;
+
+      instancesTcpPorts = builtins.concatLists (
+        map (
+          instanceName:
+          lib.mapAttrsToList (_endpointName: cfg: cfg.port) exports.instances.${instanceName}.endpoints
+        ) instances
+      );
+      machineTcpPorts = lib.mapAttrsToList (
+        _endpointName: cfg: cfg.port
+      ) exports.instances.${machine.name}.endpoints;
+
+      allowedPorts = instancesTcpPorts ++ machineTcpPorts;
+    in
+    {
+      nixosModule.networking.firewall.allowedTCPPorts = allowedPorts;
+    };
+}
--- a/clanServices/hello-world/default.nix
+++ b/clanServices/hello-world/default.nix
@@ -45,6 +45,12 @@
        ...
      }:
      {
+        exports.endpoints.greeting = {
+          port = 80;
+        };
+        exports.endpoints.uptime = {
+          port = 80;
+        };
        # Analog to 'perSystem' of flake-parts.
        # For every instance of this service we will add a nixosModule to a morning-machine
        nixosModule =
@@ -89,6 +95,9 @@
  perMachine =
    { machine, ... }:
    {
+      exports.endpoints.core-online = {
+        port = 8080;
+      };
      nixosModule =
        { pkgs, ... }:
        {
--- a/flakeModules/clan.nix
+++ b/flakeModules/clan.nix
@@ -53,6 +53,18 @@ in
                  ---
                '';
              };
+              # TODO: Pinpox
+              checks.conflictingPorts =
+                let
+                  conflicts = [ ];
+                in
+                {
+                  assertion = builtins.length conflicts == 0;
+                  message = ''
+                    The following endpoints have conflicting port assignments:
+                    ---
+                  '';
+                };
            }
          ];
        };
--- a/lib/modules/clan/interface.nix
+++ b/lib/modules/clan/interface.nix
@@ -120,6 +120,30 @@ in
      visible = false;
      type = types.deferredModule;
      default = {
+        options.endpoints = lib.mkOption {
+          type = types.attrsWith {
+            placeholder = "endpointName";
+            elemType = (
+              types.submodule {
+                options = {
+                  port = lib.mkOption {
+                    type = types.int;
+                    description = "The port the service is running on";
+                  };
+                  protocol = lib.mkOption {
+                    type = types.enum [
+                      "tcp"
+                      "udp"
+                    ];
+                    default = "tcp";
+                    description = "The protocol used to access the service";
+                  };
+                };
+              }
+            );
+          };
+          default = { };
+        };
        options.networking = lib.mkOption {
          default = null;
          type = lib.types.nullOr (