home/nixos-servers
home/nixos-servers
2
0
Fork 0
Code Issues 8 Pull requests Projects Releases Packages Wiki Activity Actions

let nix manage firewall

Browse source 
closes #20
This commit is contained in:
Pim Kunis 2023-12-26 13:44:59 +01:00
parent 5a2f4d4696
commit 4278db3000
3 changed files with 16 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
configuration.nix
View file

@ -49,6 +49,8 @@
services = { services = {
openssh = { openssh = {
enable = true; enable = true;
openFirewall = true;
settings = { settings = {
PasswordAuthentication = false; PasswordAuthentication = false;
KbdInteractiveAuthentication = false; KbdInteractiveAuthentication = false;
@ -112,14 +114,8 @@
networking = { networking = {
domain = "hyp"; domain = "hyp";
firewall.enable = false; firewall.enable = true;
useDHCP = false; useDHCP = false;
nftables = {
enable = true;
checkRuleset = true;
ruleset = builtins.readFile ./nftables.conf;
};
}; };
system.stateVersion = "23.05"; system.stateVersion = "23.05";

10
modules/custom/k3s/default.nix
View file

@ -15,9 +15,13 @@ in {
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
environment.systemPackages = [ pkgs.k3s ]; environment.systemPackages = [ pkgs.k3s ];
services.k3s.enable = true; networking.firewall.allowedTCPPorts = [ 6443 ];
services.k3s.role = "server";
services.k3s.extraFlags = "--tls-san ${config.networking.fqdn} --data-dir ${config.custom.dataDisk.mountPoint}/k3s"; services.k3s = {
enable = true;
role = "server";
extraFlags = "--tls-san ${config.networking.fqdn} --data-dir ${config.custom.dataDisk.mountPoint}/k3s";
};
system.activationScripts.k3s-bootstrap.text = system.activationScripts.k3s-bootstrap.text =
let let

6
modules/custom/terraform-database.nix
View file

@ -19,11 +19,14 @@ in {
ensureDatabases = [ "terraformstates" ]; ensureDatabases = [ "terraformstates" ];
package = pkgs.postgresql_15; package = pkgs.postgresql_15;
enableTCPIP = true; enableTCPIP = true;
dataDir = lib.mkIf config.custom.dataDisk.enable dataDir = lib.mkIf config.custom.dataDisk.enable
"${config.custom.dataDisk.mountPoint}/postgresql/${config.services.postgresql.package.psqlSchema}"; "${config.custom.dataDisk.mountPoint}/postgresql/${config.services.postgresql.package.psqlSchema}";
authentication = '' authentication = ''
hostssl terraformstates terraform all cert hostssl terraformstates terraform all cert
''; '';
settings = settings =
let let
serverCert = builtins.toFile "postgresql_server.crt" serverCert = builtins.toFile "postgresql_server.crt"
@ -35,12 +38,15 @@ in {
ssl_key_file = config.age.secrets."postgresql_server.key".path; ssl_key_file = config.age.secrets."postgresql_server.key".path;
ssl_ca_file = serverCert; ssl_ca_file = serverCert;
}; };
ensureUsers = [{ ensureUsers = [{
name = "terraform"; name = "terraform";
ensurePermissions = { "DATABASE terraformstates" = "ALL PRIVILEGES"; }; ensurePermissions = { "DATABASE terraformstates" = "ALL PRIVILEGES"; };
}]; }];
}; };
networking.firewall.allowedTCPPorts = [ 5432 ];
age.secrets."postgresql_server.key" = { age.secrets."postgresql_server.key" = {
file = ../../secrets/postgresql_server.key.age; file = ../../secrets/postgresql_server.key.age;
mode = "400"; mode = "400";