From 4278db3000de7ede79ecaba8423db3bef5ef4ae9 Mon Sep 17 00:00:00 2001
From: Pim Kunis <pim@kunis.nl>
Date: Tue, 26 Dec 2023 13:44:59 +0100
Subject: [PATCH] let nix manage firewall closes #20

---
 configuration.nix                     | 10 +++-------
 modules/custom/k3s/default.nix        | 10 +++++++---
 modules/custom/terraform-database.nix |  6 ++++++
 3 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/configuration.nix b/configuration.nix
index 2a708c4..f550b91 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -49,6 +49,8 @@
   services = {
     openssh = {
       enable = true;
+      openFirewall = true;
+
       settings = {
         PasswordAuthentication = false;
         KbdInteractiveAuthentication = false;
@@ -112,14 +114,8 @@
 
   networking = {
     domain = "hyp";
-    firewall.enable = false;
+    firewall.enable = true;
     useDHCP = false;
-
-    nftables = {
-      enable = true;
-      checkRuleset = true;
-      ruleset = builtins.readFile ./nftables.conf;
-    };
   };
 
   system.stateVersion = "23.05";
diff --git a/modules/custom/k3s/default.nix b/modules/custom/k3s/default.nix
index 6bfc0b1..1f0ee0c 100644
--- a/modules/custom/k3s/default.nix
+++ b/modules/custom/k3s/default.nix
@@ -15,9 +15,13 @@ in {
 
   config = lib.mkIf cfg.enable {
     environment.systemPackages = [ pkgs.k3s ];
-    services.k3s.enable = true;
-    services.k3s.role = "server";
-    services.k3s.extraFlags = "--tls-san ${config.networking.fqdn} --data-dir ${config.custom.dataDisk.mountPoint}/k3s";
+    networking.firewall.allowedTCPPorts = [ 6443 ];
+
+    services.k3s = {
+      enable = true;
+      role = "server";
+      extraFlags = "--tls-san ${config.networking.fqdn} --data-dir ${config.custom.dataDisk.mountPoint}/k3s";
+    };
 
     system.activationScripts.k3s-bootstrap.text =
       let
diff --git a/modules/custom/terraform-database.nix b/modules/custom/terraform-database.nix
index 01b7bb5..7c92ed8 100644
--- a/modules/custom/terraform-database.nix
+++ b/modules/custom/terraform-database.nix
@@ -19,11 +19,14 @@ in {
       ensureDatabases = [ "terraformstates" ];
       package = pkgs.postgresql_15;
       enableTCPIP = true;
+
       dataDir = lib.mkIf config.custom.dataDisk.enable
         "${config.custom.dataDisk.mountPoint}/postgresql/${config.services.postgresql.package.psqlSchema}";
+
       authentication = ''
         hostssl terraformstates terraform all cert
       '';
+
       settings =
         let
           serverCert = builtins.toFile "postgresql_server.crt"
@@ -35,12 +38,15 @@ in {
           ssl_key_file = config.age.secrets."postgresql_server.key".path;
           ssl_ca_file = serverCert;
         };
+
       ensureUsers = [{
         name = "terraform";
         ensurePermissions = { "DATABASE terraformstates" = "ALL PRIVILEGES"; };
       }];
     };
 
+    networking.firewall.allowedTCPPorts = [ 5432 ];
+
     age.secrets."postgresql_server.key" = {
       file = ../../secrets/postgresql_server.key.age;
       mode = "400";