Berwn
109 lines
3.8 KiB
Nix
109 lines
3.8 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
let
|
|
cfg = config.cnx.hetznerFirewall;
|
|
in
|
|
{
|
|
options.cnx.hetznerFirewall = {
|
|
enable = lib.mkEnableOption "Hetzner Cloud firewall rule sync";
|
|
|
|
firewalls = lib.mkOption {
|
|
type = lib.types.attrsOf (lib.types.listOf (lib.types.attrsOf lib.types.anything));
|
|
default = { };
|
|
example = lib.literalExpression ''
|
|
{
|
|
"clan-control" = [
|
|
{ direction = "in"; protocol = "udp"; port = "9993"; source_ips = [ "0.0.0.0/0" "::/0" ]; }
|
|
];
|
|
}
|
|
'';
|
|
description = ''
|
|
Map of Hetzner Cloud firewall name to its full list of inbound rule
|
|
objects, written with the Hetzner API field names (direction, protocol,
|
|
port, source_ips, description). The entire rule set is replaced on each
|
|
sync, so this is the single source of truth. A firewall that does not
|
|
exist yet is created (unapplied); applying it to servers is done out of
|
|
band.
|
|
'';
|
|
};
|
|
|
|
tokenFile = lib.mkOption {
|
|
type = lib.types.path;
|
|
default = config.clan.core.vars.generators.hetzner-firewall.files.token.path;
|
|
defaultText = lib.literalExpression "config.clan.core.vars.generators.hetzner-firewall.files.token.path";
|
|
description = "File holding the Hetzner Cloud API token (Read & Write).";
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
clan.core.vars.generators.hetzner-firewall = {
|
|
prompts.token = {
|
|
description = "Hetzner Cloud API token (Read & Write)";
|
|
type = "hidden";
|
|
persist = true;
|
|
};
|
|
};
|
|
|
|
systemd.services.hetzner-firewall-sync = {
|
|
description = "Sync Hetzner Cloud firewall rules from Nix config";
|
|
after = [ "network-online.target" ];
|
|
wants = [ "network-online.target" ];
|
|
path = [
|
|
pkgs.curl
|
|
pkgs.jq
|
|
pkgs.coreutils
|
|
];
|
|
environment.SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt";
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
LoadCredential = "token:${cfg.tokenFile}";
|
|
DynamicUser = true;
|
|
ProtectSystem = "strict";
|
|
ProtectHome = true;
|
|
PrivateTmp = true;
|
|
NoNewPrivileges = true;
|
|
};
|
|
script = ''
|
|
set -euo pipefail
|
|
api="https://api.hetzner.cloud/v1"
|
|
|
|
# Keep the bearer token out of process argv: read it from the systemd
|
|
# credential and stash it in a private (PrivateTmp) 0600 header file.
|
|
hdr="$(mktemp)"
|
|
printf 'Authorization: Bearer %s\n' "$(cat "$CREDENTIALS_DIRECTORY/token")" > "$hdr"
|
|
hapi() {
|
|
curl -fsS -H @"$hdr" -H "Content-Type: application/json" "$@"
|
|
}
|
|
|
|
${lib.concatStringsSep "\n" (
|
|
lib.mapAttrsToList (fwName: rules: ''
|
|
name=${lib.escapeShellArg fwName}
|
|
rules=${lib.escapeShellArg (builtins.toJSON rules)}
|
|
id="$(hapi "$api/firewalls?name=$name" | jq -r '.firewalls[0].id // empty')"
|
|
if [ -z "$id" ]; then
|
|
echo "hetzner-firewall: creating $name"
|
|
jq -n --arg name "$name" --argjson rules "$rules" '{name: $name, rules: $rules}' \
|
|
| hapi -X POST --data-binary @- "$api/firewalls" > /dev/null
|
|
else
|
|
echo "hetzner-firewall: setting rules on $name (id $id)"
|
|
jq -n --argjson rules "$rules" '{rules: $rules}' \
|
|
| hapi -X POST --data-binary @- "$api/firewalls/$id/actions/set_rules" > /dev/null
|
|
fi
|
|
'') cfg.firewalls
|
|
)}
|
|
'';
|
|
};
|
|
|
|
# Re-apply on every `clan machines update` (activation), not just at boot or
|
|
# when the rule set changes. --no-block keeps it from blocking the switch;
|
|
# a failed sync is logged to the journal but never fails the deploy.
|
|
system.activationScripts.hetznerFirewallSync = ''
|
|
${config.systemd.package}/bin/systemctl start --no-block hetzner-firewall-sync.service || true
|
|
'';
|
|
};
|
|
}
|