From e7c6df1c9b0c618e08658715039b38ed87f8137e Mon Sep 17 00:00:00 2001 From: hektor Date: Mon, 23 Feb 2026 23:40:15 +0100 Subject: [PATCH] refactor: extract 'firewall' and 'wol' modules --- hosts/andromache/default.nix | 44 ++++++++++++++++++------------------ hosts/astyanax/default.nix | 7 +++++- modules/firewall/default.nix | 27 ++++++++++++++++++++++ modules/wol/default.nix | 33 +++++++++++++++++++++++++++ 4 files changed, 88 insertions(+), 23 deletions(-) create mode 100644 modules/firewall/default.nix create mode 100644 modules/wol/default.nix diff --git a/hosts/andromache/default.nix b/hosts/andromache/default.nix index b0bf839..ac3931b 100644 --- a/hosts/andromache/default.nix +++ b/hosts/andromache/default.nix @@ -24,23 +24,25 @@ in inherit lib config; device = "/dev/nvme1n1"; }) - ../../modules/desktops/niri + ../../modules/audio ../../modules/backups ../../modules/bluetooth - ../../modules/gaming - ../../modules/keyboard - (import ../../modules/networking { hostName = config.host.name; }) - ../../modules/users - ../../modules/audio - ../../modules/localization + ../../modules/desktops/niri + ../../modules/docker + ../../modules/firewall ../../modules/fonts + ../../modules/gaming + (import ../../modules/networking { hostName = config.host.name; }) + ../../modules/keyboard + ../../modules/localization + ../../modules/nvidia + (import ../../modules/secrets { inherit lib inputs config; }) ../../modules/ssh ../../modules/storage ../../modules/stylix - (import ../../modules/secrets { inherit lib inputs config; }) - ../../modules/docker ../../modules/syncthing - ../../modules/nvidia + ../../modules/users + ../../modules/wol ../../modules/yubikey ]; @@ -113,17 +115,15 @@ in package = pkgs.plocate; }; - networking = { - # TODO: generate unique hostId on actual host with: head -c 8 /etc/machine-id - hostId = "80eef97e"; - interfaces = { - eno1 = { - wakeOnLan.enable = true; - inherit (wolInterfaces.eno1) macAddress; - }; - }; - firewall = { - allowedUDPPorts = [ 9 ]; - }; + networking.hostId = "80eef97e"; + + wol = { + enable = true; + interfaces.eno1 = { inherit (wolInterfaces.eno1) macAddress; }; + }; + + firewall = { + enable = true; + allowedTCPPorts = [ 22 ]; }; } diff --git a/hosts/astyanax/default.nix b/hosts/astyanax/default.nix index 2433d9d..53e3f12 100644 --- a/hosts/astyanax/default.nix +++ b/hosts/astyanax/default.nix @@ -38,6 +38,7 @@ in (import ../../modules/secrets { inherit lib inputs config; }) ../../modules/docker ../../modules/nfc + ../../modules/firewall ]; home-manager.users.${config.host.username} = import ../../home/hosts/astyanax { @@ -89,10 +90,14 @@ in ]; networking = { - # TODO: generate unique hostId on actual host with: head -c 8 /etc/machine-id hostId = "80eef97e"; }; + firewall = { + enable = true; + allowedTCPPorts = [ 22 ]; + }; + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; services = { diff --git a/modules/firewall/default.nix b/modules/firewall/default.nix new file mode 100644 index 0000000..077cdef --- /dev/null +++ b/modules/firewall/default.nix @@ -0,0 +1,27 @@ +{ lib, config, ... }: + +let + inherit (lib) mkEnableOption mkOption types; +in +{ + options.firewall = { + enable = mkEnableOption "firewall"; + + allowedTCPPorts = mkOption { + type = types.listOf types.port; + default = [ ]; + }; + + allowedUDPPorts = mkOption { + type = types.listOf types.port; + default = [ ]; + }; + }; + + config = lib.mkIf config.firewall.enable { + networking.firewall = { + enable = true; + inherit (config.firewall) allowedTCPPorts allowedUDPPorts; + }; + }; +} diff --git a/modules/wol/default.nix b/modules/wol/default.nix new file mode 100644 index 0000000..7323738 --- /dev/null +++ b/modules/wol/default.nix @@ -0,0 +1,33 @@ +{ lib, config, ... }: + +let + inherit (lib) mkEnableOption mkOption types; +in +{ + options.wol = { + enable = mkEnableOption "Wake-on-LAN configuration"; + + interfaces = mkOption { + type = types.attrsOf ( + types.submodule { + options = { + macAddress = mkOption { + type = types.str; + example = "02:68:b3:29:da:98"; + }; + }; + } + ); + default = { }; + }; + }; + + config = lib.mkIf config.wol.enable { + networking.interfaces = lib.mapAttrs (_: iface: { + wakeOnLan.enable = true; + inherit (iface) macAddress; + }) config.wol.interfaces; + + # firewall.allowedUDPPorts = [ 9 ]; + }; +}