feat[server]: add firezone

2026-04-14 21:29:12 +02:00 · 2026-01-01 02:30:10 +01:00 · 2026-01-01 02:30:10 +01:00 · 4da9291223
commit 4da9291223
parent c8f7739326
69 changed files with 2415 additions and 1132 deletions
--- a/modules/nixos/common/globals.nix
+++ b/modules/nixos/common/globals.nix
@ -5,6 +5,29 @@ let
    types
    ;

+  firewallOptions = {
+    allowedTCPPorts = mkOption {
+      type = types.listOf types.port;
+      default = [ ];
+      description = "Convenience option to open specific TCP ports for traffic from the network.";
+    };
+    allowedUDPPorts = mkOption {
+      type = types.listOf types.port;
+      default = [ ];
+      description = "Convenience option to open specific UDP ports for traffic from the network.";
+    };
+    allowedTCPPortRanges = mkOption {
+      type = lib.types.listOf (lib.types.attrsOf lib.types.port);
+      default = [ ];
+      description = "Convenience option to open specific TCP port ranges for traffic from another node.";
+    };
+    allowedUDPPortRanges = mkOption {
+      type = lib.types.listOf (lib.types.attrsOf lib.types.port);
+      default = [ ];
+      description = "Convenience option to open specific UDP port ranges for traffic from another node.";
+    };
+  };
+
  networkOptions = netSubmod: {
    cidrv4 = mkOption {
      type = types.nullOr types.net.cidrv4;
@ -25,6 +48,20 @@ let
      default = null;
    };

+    firewallRuleForAll = mkOption {
+      default = { };
+      description = ''
+        If this is a wireguard network: Allows you to set specific firewall rules for traffic originating from any participant in this
+        wireguard network. A corresponding rule `<network-name>-to-<local-zone-name>` will be created to easily expose
+        services to the network.
+      '';
+      type = types.submodule {
+        options = firewallOptions;
+      };
+    };
+
+
+
    hosts = mkOption {
      default = { };
      type = types.attrsOf (
@ -85,6 +122,20 @@ let
                # if we use the /32 wan address as local address directly, do not use the network address in ipv6
                  lib.net.cidr.hostCidr (if hostSubmod.config.id == 0 then 1 else hostSubmod.config.id) netSubmod.config.cidrv6;
            };
+
+            firewallRuleForNode = mkOption {
+              default = { };
+              description = ''
+                If this is a wireguard network: Allows you to set specific firewall rules just for traffic originating from another network node.
+                A corresponding rule `<network-name>-node-<node-name>-to-<local-zone-name>` will be created to easily expose
+                services to that node.
+              '';
+              type = types.attrsOf (
+                types.submodule {
+                  options = firewallOptions;
+                }
+              );
+            };
          };
        })
      );
@ -210,12 +261,14 @@ in
            };
          };

-
+          general = lib.mkOption {
+            type = types.submodule {
+              freeformType = types.unspecified;
+            };
+          };

        };

-
-
      };
    };

--- a/modules/nixos/common/nodes.nix
+++ b/modules/nixos/common/nodes.nix
@ -1,5 +1,5 @@
 # adapted from https://github.com/oddlama/nix-config/blob/main/modules/distributed-config.nix
-{ config, lib, outputs, ... }:
+{ config, lib, nodes, ... }:
 let
  nodeName = config.node.name;
  mkForwardedOption =
@ -23,23 +23,21 @@ let
      '';
    };

+  expandOptions = basePath: optionNames: map (option: basePath ++ [ option ]) optionNames;
+  splitPath = path: lib.splitString "." path;
+
  forwardedOptions = [
-    [
-      "services"
-      "nginx"
-      "upstreams"
-    ]
-    [
-      "services"
-      "nginx"
-      "virtualHosts"
-    ]
-    [
-      "swarselsystems"
-      "server"
-      "dns"
-    ]
-  ];
+    (splitPath "boot.kernel.sysctl")
+    (splitPath "networking.nftables.chains.postrouting")
+    (splitPath "services.kanidm.provision.groups")
+    (splitPath "services.kanidm.provision.systems.oauth2")
+    (splitPath "sops.secrets")
+    (splitPath "swarselsystems.server.dns")
+  ]
+  ++ expandOptions (splitPath "networking.nftables.firewall") [ "zones" "rules" ]
+  ++ expandOptions (splitPath "services.firezone.gateway") [ "enable" "name" "apiUrl" "tokenFile" "package" "logLevel" ]
+  ++ expandOptions (splitPath "services.nginx") [ "upstreams" "virtualHosts" ]
+  ;

  attrsForEachOption =
    f: lib.foldl' (acc: path: lib.recursiveUpdate acc (lib.setAttrByPath path (f path))) { } forwardedOptions;
@ -60,10 +58,10 @@ in
      getConfig =
        path: otherNode:
        let
-          cfg = outputs.nixosConfigurations.${otherNode}.config.nodes.${nodeName} or null;
+          cfg = nodes.${otherNode}.config.nodes.${nodeName} or null;
        in
        lib.optionals (cfg != null) (lib.getAttrFromPath path cfg);
-      mergeConfigFromOthers = path: lib.mkMerge (lib.concatMap (getConfig path) (lib.attrNames outputs.nixosConfigurations));
+      mergeConfigFromOthers = path: lib.mkMerge (lib.concatMap (getConfig path) (lib.attrNames nodes));
    in
    attrsForEachOption mergeConfigFromOthers;
 }