diff options
| author | Alejandro Soto <alejandro@34project.org> | 2025-01-01 16:46:08 -0600 |
|---|---|---|
| committer | Alejandro Soto <alejandro@34project.org> | 2025-01-01 21:49:38 -0600 |
| commit | 083c1d226a03fb84fb1e717adc1581049df689cf (patch) | |
| tree | 4df12bdf7d4560023160359035f10c2217df6e79 /sys/net | |
| parent | b1b3a635db095a54c1863b01b7ecb290e539c152 (diff) | |
sys: refactor address and network number management
Diffstat (limited to '')
| -rw-r--r-- | sys/net/default.nix | 2 | ||||
| -rw-r--r-- | sys/net/fail2ban.nix | 11 | ||||
| -rw-r--r-- | sys/net/nets.nix | 1 | ||||
| -rw-r--r-- | sys/net/options.nix | 166 |
4 files changed, 175 insertions, 5 deletions
diff --git a/sys/net/default.nix b/sys/net/default.nix index 7990bb5..c3c5740 100644 --- a/sys/net/default.nix +++ b/sys/net/default.nix @@ -2,6 +2,8 @@ imports = [ ./fail2ban.nix ./interfaces.nix + ./nets.nix + ./options.nix ./vsock.nix ]; } diff --git a/sys/net/fail2ban.nix b/sys/net/fail2ban.nix index be79de5..998de21 100644 --- a/sys/net/fail2ban.nix +++ b/sys/net/fail2ban.nix @@ -1,6 +1,7 @@ { lib, config, pkgs, ... }: with lib; let cfg = config.local.net.fail2ban; + inherit (config.local) nets; in { options.local.net.fail2ban = { @@ -21,12 +22,12 @@ in overalljails = true; }; - #TODO: No quemar ignoreIP = [ - "10.34.0.0/16" - "fd34:2::/64" - "37.205.12.147" - "2a03:3b40:fe:3ec::1" + nets.vpn0.v4.cidr + nets.gate0.v4.cidr + nets.gate0.v6.cidr + nets.gate-public.hosts.gate.v4.address + nets.gate-public.hosts.gate.v6.address ]; }; }; diff --git a/sys/net/nets.nix b/sys/net/nets.nix new file mode 100644 index 0000000..1bb3788 --- /dev/null +++ b/sys/net/nets.nix @@ -0,0 +1 @@ +# This file has been lustrated. diff --git a/sys/net/options.nix b/sys/net/options.nix new file mode 100644 index 0000000..292989a --- /dev/null +++ b/sys/net/options.nix @@ -0,0 +1,166 @@ +{ config, lib, ... }: +with lib; { + options.local.nets = with lib.types; mkOption { + readOnly = true; + + type = attrsOf (submodule ({ config, ... }: { + options = + let + v4config = config.v4; + v6config = config.v6; + in + { + hosts = mkOption { + default = { }; + + type = attrsOf (submodule { + options = { + v4 = mkOption { + default = null; + + type = nullOr (submodule ({ config, ... }: { + options = { + suffix = mkOption { + type = str; + }; + + address = mkOption { + type = str; + readOnly = true; + }; + + cidr = mkOption { + type = str; + readOnly = true; + }; + + single = mkOption { + type = str; + readOnly = true; + }; + }; + + config = { + address = + if v4config.bits == 0 + then config.suffix + else if v4config.bits == 32 + then v4config.subnet + else "${v4config.prefix}.${config.suffix}"; + + cidr = "${config.address}/${toString v4config.bits}"; + single = "${config.address}/32"; + }; + })); + }; + + v6 = mkOption { + default = null; + + type = nullOr (submodule ({ config, ... }: { + options = { + suffix = mkOption { + type = str; + }; + + address = mkOption { + type = str; + readOnly = true; + }; + + cidr = mkOption { + type = str; + readOnly = true; + }; + + single = mkOption { + type = str; + readOnly = true; + }; + }; + + config = { + address = + if v6config.bits != 0 + then "${v6config.prefix}::${config.suffix}" + else config.suffix; + + cidr = "${config.address}/${toString v6config.bits}"; + single = "${config.address}/128"; + }; + })); + }; + }; + }); + }; + + v4 = mkOption { + default = null; + + type = nullOr (submodule ({ config, ... }: { + options = { + bits = mkOption { + type = enum [ 0 8 16 24 32 ]; + }; + + prefix = mkOption { + type = str; + }; + + subnet = mkOption { + type = str; + readOnly = true; + }; + + cidr = mkOption { + type = str; + readOnly = true; + }; + }; + + config = { + cidr = "${config.subnet}/${toString config.bits}"; + subnet = + if config.bits != 0 + then config.prefix + strings.replicate (4 - config.bits / 8) ".0" + else "0.0.0.0"; + }; + })); + }; + + v6 = mkOption { + default = null; + + type = nullOr (submodule ({ config, ... }: { + options = { + bits = mkOption { + type = addCheck (ints.between 0 64) (b: mod b 4 == 0) // { + description = "IPv6 subnet bits at nibble boundary"; + }; + }; + + prefix = mkOption { + type = str; + }; + + subnet = mkOption { + type = str; + readOnly = true; + }; + + cidr = mkOption { + type = str; + readOnly = true; + }; + }; + + config = { + cidr = "${config.subnet}/${toString config.bits}"; + subnet = "${config.prefix}::"; + }; + })); + }; + }; + })); + }; +} |