diff options
| -rw-r--r-- | sys/net/default.nix | 2 | ||||
| -rw-r--r-- | sys/net/fail2ban.nix | 11 | ||||
| -rw-r--r-- | sys/net/nets.nix | 1 | ||||
| -rw-r--r-- | sys/net/options.nix | 166 | ||||
| -rw-r--r-- | sys/ns/ns.nix | 5 | ||||
| -rw-r--r-- | sys/ns/rr.nix | 7 |
6 files changed, 185 insertions, 7 deletions
diff --git a/sys/net/default.nix b/sys/net/default.nix index 7990bb5..c3c5740 100644 --- a/sys/net/default.nix +++ b/sys/net/default.nix @@ -2,6 +2,8 @@ imports = [ ./fail2ban.nix ./interfaces.nix + ./nets.nix + ./options.nix ./vsock.nix ]; } diff --git a/sys/net/fail2ban.nix b/sys/net/fail2ban.nix index be79de5..998de21 100644 --- a/sys/net/fail2ban.nix +++ b/sys/net/fail2ban.nix @@ -1,6 +1,7 @@ { lib, config, pkgs, ... }: with lib; let cfg = config.local.net.fail2ban; + inherit (config.local) nets; in { options.local.net.fail2ban = { @@ -21,12 +22,12 @@ in overalljails = true; }; - #TODO: No quemar ignoreIP = [ - "10.34.0.0/16" - "fd34:2::/64" - "37.205.12.147" - "2a03:3b40:fe:3ec::1" + nets.vpn0.v4.cidr + nets.gate0.v4.cidr + nets.gate0.v6.cidr + nets.gate-public.hosts.gate.v4.address + nets.gate-public.hosts.gate.v6.address ]; }; }; diff --git a/sys/net/nets.nix b/sys/net/nets.nix new file mode 100644 index 0000000..1bb3788 --- /dev/null +++ b/sys/net/nets.nix @@ -0,0 +1 @@ +# This file has been lustrated. diff --git a/sys/net/options.nix b/sys/net/options.nix new file mode 100644 index 0000000..292989a --- /dev/null +++ b/sys/net/options.nix @@ -0,0 +1,166 @@ +{ config, lib, ... }: +with lib; { + options.local.nets = with lib.types; mkOption { + readOnly = true; + + type = attrsOf (submodule ({ config, ... }: { + options = + let + v4config = config.v4; + v6config = config.v6; + in + { + hosts = mkOption { + default = { }; + + type = attrsOf (submodule { + options = { + v4 = mkOption { + default = null; + + type = nullOr (submodule ({ config, ... }: { + options = { + suffix = mkOption { + type = str; + }; + + address = mkOption { + type = str; + readOnly = true; + }; + + cidr = mkOption { + type = str; + readOnly = true; + }; + + single = mkOption { + type = str; + readOnly = true; + }; + }; + + config = { + address = + if v4config.bits == 0 + then config.suffix + else if v4config.bits == 32 + then v4config.subnet + else "${v4config.prefix}.${config.suffix}"; + + cidr = "${config.address}/${toString v4config.bits}"; + single = "${config.address}/32"; + }; + })); + }; + + v6 = mkOption { + default = null; + + type = nullOr (submodule ({ config, ... }: { + options = { + suffix = mkOption { + type = str; + }; + + address = mkOption { + type = str; + readOnly = true; + }; + + cidr = mkOption { + type = str; + readOnly = true; + }; + + single = mkOption { + type = str; + readOnly = true; + }; + }; + + config = { + address = + if v6config.bits != 0 + then "${v6config.prefix}::${config.suffix}" + else config.suffix; + + cidr = "${config.address}/${toString v6config.bits}"; + single = "${config.address}/128"; + }; + })); + }; + }; + }); + }; + + v4 = mkOption { + default = null; + + type = nullOr (submodule ({ config, ... }: { + options = { + bits = mkOption { + type = enum [ 0 8 16 24 32 ]; + }; + + prefix = mkOption { + type = str; + }; + + subnet = mkOption { + type = str; + readOnly = true; + }; + + cidr = mkOption { + type = str; + readOnly = true; + }; + }; + + config = { + cidr = "${config.subnet}/${toString config.bits}"; + subnet = + if config.bits != 0 + then config.prefix + strings.replicate (4 - config.bits / 8) ".0" + else "0.0.0.0"; + }; + })); + }; + + v6 = mkOption { + default = null; + + type = nullOr (submodule ({ config, ... }: { + options = { + bits = mkOption { + type = addCheck (ints.between 0 64) (b: mod b 4 == 0) // { + description = "IPv6 subnet bits at nibble boundary"; + }; + }; + + prefix = mkOption { + type = str; + }; + + subnet = mkOption { + type = str; + readOnly = true; + }; + + cidr = mkOption { + type = str; + readOnly = true; + }; + }; + + config = { + cidr = "${config.subnet}/${toString config.bits}"; + subnet = "${config.prefix}::"; + }; + })); + }; + }; + })); + }; +} diff --git a/sys/ns/ns.nix b/sys/ns/ns.nix index f23fccf..4c242b6 100644 --- a/sys/ns/ns.nix +++ b/sys/ns/ns.nix @@ -1,6 +1,7 @@ { config, lib, ... }: with lib; let inherit (config.local.ns.server) tsigName; + inherit (config.local.nets) gate-public; in { options.local.ns.zones = mkOption { @@ -41,11 +42,11 @@ in ]; a = [ - { name = cfg.primary; ipv4 = "37.205.12.147"; } + { name = cfg.primary; ipv4 = gate-public.hosts.gate.v4.address; } ]; aaaa = [ - { name = cfg.primary; ipv6 = "2a03:3b40:fe:3ec::1"; } + { name = cfg.primary; ipv6 = gate-public.hosts.gate.v6.address; } ]; }; })); diff --git a/sys/ns/rr.nix b/sys/ns/rr.nix index a007c4a..a80eaf4 100644 --- a/sys/ns/rr.nix +++ b/sys/ns/rr.nix @@ -1,6 +1,7 @@ { config, lib, options, pkgs, ... }: with lib; let cfg = config.local.ns; + globalConfig = config; segmentRegex = "[a-z0-9_-]+(\\.[a-z0-9_-]+)*"; @@ -78,6 +79,12 @@ in in { options = { + local = mkOption { + type = unspecified; + default = globalConfig.local; + readOnly = true; + }; + defaultTTL = mkOption { type = int; default = 3600; |