B4L/cnx-network-clan
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add Hetzner Cloud firewall auto-sync from clan config

Browse Source 
control runs a oneshot on each deploy that creates each firewall if
missing and replaces its rules via the Hetzner API set_rules action,
using a Read/Write token stored as a clan secret. Public SSH is not
exposed; admin access rides the ZeroTier mesh, with emergency-access as
the console fallback.
This commit is contained in:
Berwn
2026-06-14 15:40:05 +07:00
parent dbb67dbd9c
commit 344f432640
2 changed files with 137 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/hetzner-firewall.nix
+98
View File
@@ -0,0 +1,98 @@
{ config, lib, pkgs, ... }:
let
cfg = config.cnx.hetznerFirewall;
in
{
options.cnx.hetznerFirewall = {
enable = lib.mkEnableOption "Hetzner Cloud firewall rule sync";
firewalls = lib.mkOption {
type = lib.types.attrsOf (lib.types.listOf (lib.types.attrsOf lib.types.anything));
default = { };
example = lib.literalExpression ''
{
"clan-control" = [
{ direction = "in"; protocol = "udp"; port = "9993"; source_ips = [ "0.0.0.0/0" "::/0" ]; }
];
}
'';
description = ''
Map of Hetzner Cloud firewall name to its full list of inbound rule
objects, written with the Hetzner API field names (direction, protocol,
port, source_ips, description). The entire rule set is replaced on each
sync, so this is the single source of truth. A firewall that does not
exist yet is created (unapplied); applying it to servers is done out of
band.
'';
};
tokenFile = lib.mkOption {
type = lib.types.path;
default = config.clan.core.vars.generators.hetzner-firewall.files.token.path;
defaultText = lib.literalExpression
"config.clan.core.vars.generators.hetzner-firewall.files.token.path";
description = "File holding the Hetzner Cloud API token (Read & Write).";
};
};
config = lib.mkIf cfg.enable {
clan.core.vars.generators.hetzner-firewall = {
prompts.token = {
description = "Hetzner Cloud API token (Read & Write)";
type = "hidden";
persist = true;
};
};
systemd.services.hetzner-firewall-sync = {
description = "Sync Hetzner Cloud firewall rules from Nix config";
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
path = [ pkgs.curl pkgs.jq pkgs.coreutils ];
environment.SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt";
serviceConfig = {
Type = "oneshot";
LoadCredential = "token:${cfg.tokenFile}";
DynamicUser = true;
ProtectSystem = "strict";
ProtectHome = true;
PrivateTmp = true;
NoNewPrivileges = true;
};
script = ''
set -euo pipefail
api="https://api.hetzner.cloud/v1"
# Keep the bearer token out of process argv: read it from the systemd
# credential and stash it in a private (PrivateTmp) 0600 header file.
hdr="$(mktemp)"
printf 'Authorization: Bearer %s\n' "$(cat "$CREDENTIALS_DIRECTORY/token")" > "$hdr"
hapi() {
curl -fsS -H @"$hdr" -H "Content-Type: application/json" "$@"
}
${lib.concatStringsSep "\n" (lib.mapAttrsToList (fwName: rules: ''
name=${lib.escapeShellArg fwName}
rules=${lib.escapeShellArg (builtins.toJSON rules)}
id="$(hapi "$api/firewalls?name=$name" | jq -r '.firewalls[0].id // empty')"
if [ -z "$id" ]; then
echo "hetzner-firewall: creating $name"
jq -n --arg name "$name" --argjson rules "$rules" '{name: $name, rules: $rules}' \
| hapi -X POST --data-binary @- "$api/firewalls" > /dev/null
else
echo "hetzner-firewall: setting rules on $name (id $id)"
jq -n --argjson rules "$rules" '{rules: $rules}' \
| hapi -X POST --data-binary @- "$api/firewalls/$id/actions/set_rules" > /dev/null
fi
'') cfg.firewalls)}
'';
};
# Re-apply on every `clan machines update` (activation), not just at boot or
# when the rule set changes. --no-block keeps it from blocking the switch;
# a failed sync is logged to the journal but never fails the deploy.
system.activationScripts.hetznerFirewallSync = ''
${config.systemd.package}/bin/systemctl start --no-block hetzner-firewall-sync.service || true
'';
};
}