+30

firewall/default.nix

··· 1 1 + {lib, config, options, ...}: let 2 2 + l = lib; 3 3 + t = l.types; 4 4 + cfg = config.networking.firewall.public; 5 5 + 6 6 + portOptions = { 7 7 + inherit (options.networking.firewall) 8 8 + allowedTCPPorts 9 9 + allowedUDPPorts 10 10 + allowedTCPPortRanges 11 11 + allowedUDPPortRanges; 12 12 + }; 13 13 + in { 14 14 + options = { 15 15 + networking.firewall.public = l.mkOption { 16 16 + default = { }; 17 17 + type = t.attrsOf (t.submodule [{ options = portOptions; }]); 18 18 + description = "Tagged open port sets."; 19 19 + }; 20 20 + }; 21 21 + 22 22 + config = let 23 23 + concatAll = name: l.concatLists (l.mapAttrsToList (_: opts: opts.${name}) cfg); 24 24 + in { 25 25 + networking.firewall.allowedTCPPorts = concatAll "allowedTCPPorts"; 26 26 + networking.firewall.allowedTCPPortRanges = concatAll "allowedTCPPortRanges"; 27 27 + networking.firewall.allowedUDPPorts = concatAll "allowedUDPPorts"; 28 28 + networking.firewall.allowedUDPPortRanges = concatAll "allowedUDPPortRanges"; 29 29 + }; 30 30 + }

+37

firewall/provider/hetzner/app.nu

··· 1 1 + use std/log 2 2 + 3 3 + let authHeader = ["authorization" $"Bearer ($env.HETZNER_API_TOKEN)"] 4 4 + 5 5 + def makeApiUrl [path: string] { 6 6 + return $"https://api.hetzner.cloud/v1($path)" 7 7 + } 8 8 + def post [path: string] { 9 9 + let resp = $in | http post -e --full -H authHeader --content-type application/json (makeApiUrl path) 10 10 + $resp.body = $resp.body | from json 11 11 + $resp 12 12 + } 13 13 + def get [path: string] { 14 14 + let resp = http get -e --full -H authHeader (makeApiUrl path) 15 15 + $resp.body = $resp.body | from json 16 16 + $resp 17 17 + } 18 18 + 19 19 + # first fetch firewall to see if it even exists 20 20 + let resp = get $"/firewalls/($firewallId)" 21 21 + if $resp.status == 404 { 22 22 + log error $"provided firewall \(id ($firewallId)\) does not exist" 23 23 + exit 1 24 24 + } 25 25 + let firewall = $resp.body | get firewall 26 26 + 27 27 + # backup firewall 28 28 + let backupPath = $".hetzner/($firewallId).json" 29 29 + mkdir .hetzner; $firewall | to json | save $backupPath 30 30 + log info $"backing up firewall ($firewallId) to ($backupPath)" 31 31 + 32 32 + # apply rules 33 33 + let resp = open $rulesFile | from json | post $"/firewalls/($firewallId)/actions/set_rules" 34 34 + if $resp.status != 201 { 35 35 + log error $"could not apply firewall \(id ($firewallId)\)" 36 36 + } 37 37 + log info $"applied firewall ($firewallId)"

+56

firewall/provider/hetzner/default.nix

··· 1 1 + {pkgs, lib, config, options, ...}: let 2 2 + l = lib; 3 3 + t = l.types; 4 4 + taggedPorts = config.networking.firewall.public; 5 5 + cfg = config.providers.hetzner; 6 6 + in { 7 7 + options = { 8 8 + providers.hetzner.firewall = { 9 9 + id = l.mkOption { 10 10 + type = t.ints.unsigned; 11 11 + description = "The ID of the firewall to update."; 12 12 + }; 13 13 + app = l.mkOption { 14 14 + type = t.package; 15 15 + readOnly = true; 16 16 + description = '' 17 17 + The generated app for this provider, run it to apply the configuration. 18 18 + 19 19 + For this to work, you need to set the `HETZNER_API_TOKEN` environment variable to a valid API token from Hetzner. 20 20 + ''; 21 21 + }; 22 22 + }; 23 23 + }; 24 24 + 25 25 + config = let 26 26 + mkRule = proto: tag: port: { 27 27 + description = tag; 28 28 + direction = "in"; 29 29 + protocol = proto; 30 30 + port = 31 31 + if l.isAttrs port 32 32 + then l.concatMapStringsSep "-" toString [port.from port.to] 33 33 + else toString port; 34 34 + }; 35 35 + mkTcpRule = mkRule "tcp"; 36 36 + mkUdpRule = mkRule "udp"; 37 37 + firewallRules = pkgs.writers.writeJSON "hetzner-firewall-${toString cfg.id}-rules.json" { 38 38 + rules = l.flatten ( 39 39 + l.mapAttrsToList 40 40 + (tag: ports: [ 41 41 + (l.map (mkTcpRule tag) ports.allowedTCPPorts) 42 42 + (l.map (mkTcpRule tag) ports.allowedTCPPortRanges) 43 43 + (l.map (mkUdpRule tag) ports.allowedUDPPorts) 44 44 + (l.map (mkUdpRule tag) ports.allowedUDPPortRanges) 45 45 + ]) 46 46 + taggedPorts 47 47 + ); 48 48 + }; 49 49 + in { 50 50 + providers.hetzner.firewall.app = pkgs.writers.writeNu "apply-hetzner" '' 51 51 + let firewallId = ${toString cfg.id} 52 52 + let rulesFile = ${firewallRules} 53 53 + ${l.fileContents ./app.nu} 54 54 + ''; 55 55 + }; 56 56 + }

+27

flake.lock

··· 1 1 + { 2 2 + "nodes": { 3 3 + "nixpkgs": { 4 4 + "locked": { 5 5 + "lastModified": 1752480373, 6 6 + "narHash": "sha256-JHQbm+OcGp32wAsXTE/FLYGNpb+4GLi5oTvCxwSoBOA=", 7 7 + "owner": "nixos", 8 8 + "repo": "nixpkgs", 9 9 + "rev": "62e0f05ede1da0d54515d4ea8ce9c733f12d9f08", 10 10 + "type": "github" 11 11 + }, 12 12 + "original": { 13 13 + "owner": "nixos", 14 14 + "ref": "nixos-unstable", 15 15 + "repo": "nixpkgs", 16 16 + "type": "github" 17 17 + } 18 18 + }, 19 19 + "root": { 20 20 + "inputs": { 21 21 + "nixpkgs": "nixpkgs" 22 22 + } 23 23 + } 24 24 + }, 25 25 + "root": "root", 26 26 + "version": 7 27 27 + }

+12

flake.nix

··· 1 1 + { 2 2 + description = "nixos modules for convenient deployment of cloud resources"; 3 3 + 4 4 + inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; 5 5 + 6 6 + outputs = inp: { 7 7 + nixosModules = { 8 8 + firewall = ./firewall/default.nix; 9 9 + firewall-hetzner = ./firewall/provider/hetzner/default.nix; 10 10 + }; 11 11 + }; 12 12 + }