this repo has no description
refactor: split code, add test for hetzner firewall app
+77
-38
+12
firewall/provider/hetzner/app.nix
+12
firewall/provider/hetzner/app.nix
···
1
+
{pkgs, lib ? pkgs.lib, taggedPorts, id}: let
2
+
l = lib // (import ./rules.nix {inherit lib;});
3
+
4
+
firewallRules =
5
+
builtins.toFile
6
+
"hetzner-firewall-${toString id}-rules.json"
7
+
(builtins.toJSON (l.mkFirewallRuleset taggedPorts));
8
+
in pkgs.writers.writeNu "apply-hetzner" ''
9
+
let firewallId = ${toString id}
10
+
let rulesFile = "${firewallRules}"
11
+
${l.fileContents ./app.nu}
12
+
''
+9
-35
firewall/provider/hetzner/default.nix
+9
-35
firewall/provider/hetzner/default.nix
···
1
-
{pkgs, lib, config, options, ...}: let
1
+
{lib, config, ...}: let
2
2
l = lib;
3
3
t = l.types;
4
4
taggedPorts = config.networking.firewall.public;
···
10
10
type = t.ints.unsigned;
11
11
description = "The ID of the firewall to update.";
12
12
};
13
-
app = l.mkOption {
14
-
type = t.package;
13
+
mkApp = l.mkOption {
14
+
type = t.functionTo t.package;
15
15
readOnly = true;
16
16
description = ''
17
-
The generated app for this provider, run it to apply the configuration.
17
+
Function that generates a script for this provider, pass it an instance of nixpkgs and run to apply the configuration.
18
18
19
-
For this to work, you need to set the `HETZNER_API_TOKEN` environment variable to a valid API token from Hetzner.
19
+
For this app to work, you need to set the `HETZNER_API_TOKEN` environment variable to a valid API token from Hetzner.
20
20
'';
21
21
};
22
22
};
23
23
};
24
24
25
-
config = let
26
-
mkRule = proto: tag: port: {
27
-
description = tag;
28
-
direction = "in";
29
-
protocol = proto;
30
-
port =
31
-
if l.isAttrs port
32
-
then l.concatMapStringsSep "-" toString [port.from port.to]
33
-
else toString port;
34
-
source_ips = ["0.0.0.0/0" "::/0"];
35
-
};
36
-
mkTcpRule = mkRule "tcp";
37
-
mkUdpRule = mkRule "udp";
38
-
firewallRules = pkgs.writers.writeJSON "hetzner-firewall-${toString cfg.id}-rules.json" {
39
-
rules = l.flatten (
40
-
l.mapAttrsToList
41
-
(tag: ports: [
42
-
(l.map (mkTcpRule tag) ports.allowedTCPPorts)
43
-
(l.map (mkTcpRule tag) ports.allowedTCPPortRanges)
44
-
(l.map (mkUdpRule tag) ports.allowedUDPPorts)
45
-
(l.map (mkUdpRule tag) ports.allowedUDPPortRanges)
46
-
])
47
-
taggedPorts
48
-
);
25
+
config = {
26
+
providers.hetzner.firewall.mkApp = pkgs: import ./app.nix {
27
+
inherit pkgs lib taggedPorts;
28
+
inherit (cfg) id;
49
29
};
50
-
in {
51
-
providers.hetzner.firewall.app = pkgs.writers.writeNu "apply-hetzner" ''
52
-
let firewallId = ${toString cfg.id}
53
-
let rulesFile = "${firewallRules}"
54
-
${l.fileContents ./app.nu}
55
-
'';
56
30
};
57
31
}
+29
firewall/provider/hetzner/rules.nix
+29
firewall/provider/hetzner/rules.nix
···
1
+
{lib}: let
2
+
l = lib;
3
+
mkRule = proto: tag: port: {
4
+
description = tag;
5
+
direction = "in";
6
+
protocol = proto;
7
+
port =
8
+
if l.isAttrs port
9
+
then l.concatMapStringsSep "-" toString [port.from port.to]
10
+
else toString port;
11
+
source_ips = ["0.0.0.0/0" "::/0"];
12
+
};
13
+
in rec {
14
+
mkTcpRule = mkRule "tcp";
15
+
mkUdpRule = mkRule "udp";
16
+
# taggedPorts: attrset of {allowedTCPPorts, allowedTCPPortRanges, ...}
17
+
mkFirewallRuleset = taggedPorts: {
18
+
rules = l.flatten (
19
+
l.mapAttrsToList
20
+
(tag: ports: [
21
+
(l.map (mkTcpRule tag) (ports.allowedTCPPorts or []))
22
+
(l.map (mkTcpRule tag) (ports.allowedTCPPortRanges or []))
23
+
(l.map (mkUdpRule tag) (ports.allowedUDPPorts or []))
24
+
(l.map (mkUdpRule tag) (ports.allowedUDPPortRanges or []))
25
+
])
26
+
taggedPorts
27
+
);
28
+
};
29
+
}
+27
-3
flake.nix
+27
-3
flake.nix
···
3
3
4
4
inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
5
5
6
-
outputs = inp: {
6
+
outputs = inp: let
7
+
l = inp.nixpkgs.lib;
8
+
pkgsInstances =
9
+
l.genAttrs
10
+
["x86_64-linux"]
11
+
(s: inp.nixpkgs.legacyPackages.${s});
12
+
in {
7
13
nixosModules = {
8
-
firewall = ./firewall/default.nix;
9
-
firewall-hetzner = ./firewall/provider/hetzner/default.nix;
14
+
firewall = ./firewall;
15
+
firewall-hetzner = ./firewall/provider/hetzner;
10
16
};
17
+
checks =
18
+
l.mapAttrs
19
+
(_: pkgs: {
20
+
firewall-hetzner-app = import ./firewall/provider/hetzner/app.nix {
21
+
inherit pkgs;
22
+
taggedPorts = {
23
+
http.allowedTCPPorts = [80 443];
24
+
ssh.allowedTCPPorts = [22];
25
+
"bla bla" = {
26
+
allowedUDPPortRanges = [{from = 1332; to = 8891;}];
27
+
allowedTCPPorts = [101];
28
+
allowedUDPPorts = [102];
29
+
};
30
+
};
31
+
id = 1;
32
+
};
33
+
})
34
+
pkgsInstances;
11
35
};
12
36
}