jalr/nixos-configuration
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix duplicate port check

Browse source
This commit is contained in:
Jakob Lechner 2025-04-10 01:13:11 +02:00
parent 48e71f75f8
commit 6f01431032
39 changed files with 132 additions and 158 deletions
Download patch file Download diff file Expand all files Collapse all files

30
custom-utils/default.nix
View file

@ -1,33 +1,5 @@
{ lib, ... }:
let
filterPort = pm: port: (
lib.attrsets.catAttrs port (
lib.attrsets.attrValues (
lib.attrsets.filterAttrs (_: v: v ? "${port}") pm
)
)
);
onlyUniqueItemsInList = x: lib.lists.length x == lib.lists.length (lib.lists.unique x);
protocols = x: lib.lists.unique (lib.flatten (map builtins.attrNames (lib.attrValues x)));
mkRange = x: lib.lists.range (builtins.elemAt x 0) (builtins.elemAt x 1);
validateList = allowed: builtins.all (x: builtins.elem x allowed);
in
{
validatePortAttrset = portmap:
if ! onlyUniqueItemsInList (lib.flatten (map
(x:
if lib.isInt x then x
else if lib.isList x then x
else if lib.isAttrs x then
(
if ! validateList [ "range" ] (builtins.attrNames x) then builtins.abort "found invalid attribute name"
else if x ? "range" then if lib.lists.length x.range == 2 then mkRange x.range else builtins.abort "range needs a list with exactly two items"
else builtins.abort "found invalid attrset"
)
else builtins.abort "found invalid entry in portmap"
)
(filterPort portmap "udp"))) then builtins.abort "Found duplicate ports."
else if ! validateList [ "tcp" "udp" ] (protocols portmap) then builtins.abort "Found invalid protocol."
else portmap;
validatePortAttrset = import ./ports.nix { inherit lib; };
}

32
custom-utils/ports.nix
View file

@ -9,25 +9,25 @@ let
)
);
onlyUniqueItemsInList = x: lib.lists.length x == lib.lists.length (lib.lists.unique x);
protocols = x: lib.lists.unique (lib.flatten (map builtins.attrNames (lib.attrValues x)));
mkRange = x: lib.lists.range (builtins.elemAt x 0) (builtins.elemAt x 1);
validateList = allowed: builtins.all (x: builtins.elem x allowed);
mkRange = { from, to }: (lib.lists.range from to);
in
{
validatePortAttrset = portmap:
if ! onlyUniqueItemsInList (lib.flatten (map
portmap:
if builtins.all
(
proto:
if onlyUniqueItemsInList
(
lib.flatten (
map
(x:
if lib.isInt x then x
else if lib.isList x then x
else if lib.isAttrs x then
(
if ! validateList [ "range" ] (builtins.attrNames x) then builtins.abort "found invalid attribute name"
else if x ? "range" then if lib.lists.length x.range == 2 then mkRange x.range else builtins.abort "range needs a list with exactly two items"
else builtins.abort "found invalid attrset"
)
else if lib.isAttrs x then mkRange x
else builtins.abort "found invalid entry in portmap"
)
(filterPort portmap "udp"))) then builtins.abort "Found duplicate ports."
else if ! validateList [ "tcp" "udp" ] (protocols portmap) then builtins.abort "Found invalid protocol."
else portmap;
}
(filterPort portmap proto)
)
) then true else builtins.abort "Found duplicate ${proto} ports."
) [ "tcp" "udp" ]
then portmap
else builtins.abort "Found duplicate ports."

1
hosts/aluminium/configuration.nix
View file

@ -5,6 +5,7 @@
./hardware-configuration.nix
../../users/jalr
./services
./ports.nix
];
services.openssh.enable = true;

6
hosts/aluminium/ports.nix
View file

@ -1,7 +1,8 @@
{ custom-utils, ... }:
custom-utils.validatePortAttrset {
asterisk-rtp = { udp.range = [ 10000 10200 ]; };
{
config.networking.ports = custom-utils.validatePortAttrset {
asterisk-rtp.udp = { from = 10000; to = 10200; };
doorbell-audiosocket.tcp = 9092;
doorbell-webrtc-ice.tcp = 8189;
doorbell-webrtc.tcp = 8889;
@ -11,4 +12,5 @@ custom-utils.validatePortAttrset {
nginx-https.tcp = 443;
unifi-inform.tcp = 8080;
unifi-ui.tcp = 8443;
};
}

19
hosts/aluminium/services/asterisk/default.nix
View file

@ -1,16 +1,12 @@
args@{ config, lib, pkgs, ... }:
{ config, lib, pkgs, ... }:
let
ports = import ../../ports.nix args;
inherit (config.networking) ports;
secretConfigFiles = [
"ari"
"pjsip"
"voicemail"
];
rtp = {
start = builtins.elemAt ports.asterisk-rtp.udp.range 0;
end = builtins.elemAt ports.asterisk-rtp.udp.range 1;
};
voicemail-sounds = pkgs.callPackage ./voicemail-sounds { };
in
{
@ -142,8 +138,8 @@ in
'';
"rtp.conf" = ''
[general]
rtpstart=${toString rtp.start}
rtpend=${toString rtp.end}
rtpstart=${toString ports.asterisk-rtp.udp.from}
rtpend=${toString ports.asterisk-rtp.udp.to}
'';
"dnsmgr.conf" = ''
[general]
@ -167,12 +163,7 @@ in
(lib.listToAttrs (map (name: lib.nameValuePair name { }) secretConfigFiles));
networking.firewall = {
allowedUDPPortRanges = [
{
from = rtp.start;
to = rtp.end;
}
];
allowedUDPPortRanges = lib.singleton ports.asterisk-rtp.udp;
interfaces.voice = {
allowedTCPPorts = [ 5060 ];
allowedUDPPorts = [ 5060 ];

4
hosts/aluminium/services/doorbell.nix
View file

@ -1,7 +1,7 @@
args@{ config, ... }:
{ config, ... }:
let
ports = import ../ports.nix args;
inherit (config.networking) ports;
in
{
sops.secrets.myintercom-doorbell-password = {

4
hosts/aluminium/services/esphome/default.nix
View file

@ -1,6 +1,6 @@
args@{ lib, pkgs, config, ... }:
{ lib, pkgs, config, ... }:
let
ports = import ../../ports.nix args;
inherit (config.networking) ports;
cfgdir = pkgs.stdenvNoCC.mkDerivation {
name = "esphome-config";
src = ./devices;

4
hosts/aluminium/services/home-assistant.nix
View file

@ -1,6 +1,6 @@
args@{ pkgs, config, ... }:
{ pkgs, config, ... }:
let
ports = import ../ports.nix args;
inherit (config.networking) ports;
in
{
services.home-assistant = {

4
hosts/aluminium/services/nginx.nix
View file

@ -1,7 +1,7 @@
args:
{ config, ... }:
let
ports = import ../ports.nix args;
inherit (config.networking) ports;
in
{
services.nginx = {

4
hosts/aluminium/services/unifi-controller.nix
View file

@ -1,7 +1,7 @@
args@{ pkgs, ... }:
{ config, pkgs, ... }:
let
ports = import ../ports.nix args;
inherit (config.networking) ports;
in
{
services.unifi = {

1
hosts/iron/configuration.nix
View file

@ -34,6 +34,7 @@ with lib; {
imports = [
../../users/jalr
./services
./ports.nix
];
config = {
system.stateVersion = "23.11";

6
hosts/iron/ports.nix
View file

@ -1,6 +1,7 @@
{ custom-utils, ... }:
custom-utils.validatePortAttrset {
{
config.networking.ports = custom-utils.validatePortAttrset {
calibre-server.tcp = 8081;
calibre-web.tcp = 8082;
esphome.tcp = 6052;
@ -14,7 +15,7 @@ custom-utils.validatePortAttrset {
nginx-http.tcp = 80;
nginx-https.tcp = 443;
postfix-relay.tcp = 25;
postfix-submission.tcp = [ 465 ];
postfix-submission.tcp = 465;
qbittorrent-torrent.tcp = 59832;
qbittorrent-webui.tcp = 8099;
radicale.tcp = 5232;
@ -25,4 +26,5 @@ custom-utils.validatePortAttrset {
unifi-http.tcp = 8080;
unifi-https.tcp = 8443;
wireguard-public-ip-tunnel.udp = 51000;
};
}

4
hosts/iron/services/calibre.nix
View file

@ -1,6 +1,6 @@
args@{ lib, config, ... }:
{ lib, config, ... }:
let
ports = import ../ports.nix args;
inherit (config.networking) ports;
in
{
sops.secrets.calibre-htpasswd = {

4
hosts/iron/services/esphome/default.nix
View file

@ -1,6 +1,6 @@
args@{ lib, pkgs, config, ... }:
{ lib, pkgs, config, ... }:
let
ports = import ../../ports.nix args;
inherit (config.networking) ports;
cfgdir = pkgs.stdenvNoCC.mkDerivation {
name = "esphome-config";
src = ./devices;

4
hosts/iron/services/home-assistant.nix
View file

@ -1,6 +1,6 @@
args@{ lib, pkgs, config, ... }:
{ lib, pkgs, config, ... }:
let
ports = import ../ports.nix args;
inherit (config.networking) ports;
interfaces = import ../interfaces.nix;
domain = "hass.jalr.de";
in

4
hosts/iron/services/jellyfin.nix
View file

@ -1,6 +1,6 @@
args@{ lib, ... }:
{ config, lib, ... }:
let
ports = import ../ports.nix args;
inherit (config.networking) ports;
in
{
services.jellyfin = {

4
hosts/iron/services/mail.nix
View file

@ -1,7 +1,7 @@
args:
{ config, ... }:
let
ports = import ../ports.nix args;
inherit (config.networking) ports;
in
{
#sops.secrets."domain_key_jalr.de" = {

4
hosts/iron/services/matrix.nix
View file

@ -1,7 +1,7 @@
args@{ config, pkgs, ... }:
{ config, pkgs, ... }:
let
ports = import ../ports.nix args;
inherit (config.networking) ports;
signalPhoneNumber = "+4915566437153";
signalUser = "jalr";
in

4
hosts/iron/services/navidrome.nix
View file

@ -1,7 +1,7 @@
args@{ config, lib, pkgs, ... }:
{ config, lib, pkgs, ... }:
let
ports = import ../ports.nix args;
inherit (config.networking) ports;
settings = {
# https://www.navidrome.org/docs/usage/configuration-options/#available-options
Address = "127.0.0.1";

4
hosts/iron/services/nginx.nix
View file

@ -1,7 +1,7 @@
args:
{ config, ... }:
let
ports = import ../ports.nix args;
inherit (config.networking) ports;
in
{
services.nginx = {

4
hosts/iron/services/public-ip-tunnel.nix
View file

@ -1,7 +1,7 @@
args@{ config, lib, pkgs, ... }:
{ config, lib, pkgs, ... }:
let
ports = import ../ports.nix args;
inherit (config.networking) ports;
listenPort = ports.wireguard-public-ip-tunnel.udp;
remoteHost = "magnesium.jalr.de";
remotePort = 51000;

4
hosts/iron/services/radicale.nix
View file

@ -1,7 +1,7 @@
args@{ config, ... }:
{ config, ... }:
let
ports = import ../ports.nix args;
inherit (config.networking) ports;
in
{
sops.secrets.radicale-htpasswd = {

4
hosts/iron/services/remarkable.nix
View file

@ -1,6 +1,6 @@
args@{ lib, config, pkgs, ... }:
{ lib, config, pkgs, ... }:
let
ports = import ../ports.nix args;
inherit (config.networking) ports;
domain = "rmfakecloud.jalr.de";
cfg = config.services.rmfakecloud;
mkEnvironment = settings: lib.strings.concatLines (

4
hosts/iron/services/snapcast/snapserver.nix
View file

@ -1,6 +1,6 @@
args@{ lib, pkgs, config, ... }:
{ lib, pkgs, config, ... }:
let
ports = import ../../ports.nix args;
inherit (config.networking) ports;
interfaces = import ../../interfaces.nix;
in
{

4
hosts/iron/services/sturzbach.nix
View file

@ -1,7 +1,7 @@
args:
{ config, ... }:
let
ports = import ../ports.nix args;
inherit (config.networking) ports;
in
{
jalr.qbittorrent = {

4
hosts/iron/services/unifi-controller.nix
View file

@ -1,7 +1,7 @@
args@{ pkgs, ... }:
{ config, pkgs, ... }:
let
ports = import ../ports.nix args;
inherit (config.networking) ports;
interfaces = import ../interfaces.nix;
in
{

4
hosts/iron/services/whatsapp.nix
View file

@ -1,7 +1,7 @@
args@{ pkgs, ... }:
{ config, pkgs, ... }:
let
ports = import ../ports.nix args;
inherit (config.networking) ports;
shutdownAndroidVm = pkgs.writeShellScript "shutdown-android-vm" ''
set -e
export PATH=${pkgs.lib.makeBinPath [pkgs.libvirt pkgs.gnused pkgs.android-tools]}

4
hosts/magnesium/ports.nix
View file

@ -1,5 +1,7 @@
{ custom-utils, ... }:
{
config.networking.ports = {
config.networking.ports = custom-utils.validatePortAttrset {
coturn-cli.tcp = 5766;
coturn-plain = { tcp = [ 3478 3479 ]; udp = [ 3478 3479 ]; };
coturn-relay.udp = { from = 49160; to = 49200; };

2
hosts/magnesium/services/coturn.nix
View file

@ -3,7 +3,7 @@
let
cfg = config.services.coturn;
fqdn = "turn.jalr.de";
ports = config.networking.ports;
inherit (config.networking) ports;
in
{
sops.secrets.turn-static-auth-secret = {

2
hosts/magnesium/services/forgejo.nix
View file

@ -2,7 +2,7 @@
let
domain = "git.jalr.de";
cfg = config.services.forgejo;
ports = config.networking.ports;
inherit (config.networking) ports;
in
{
sops.secrets.forgejo-mail = {

2
hosts/magnesium/services/hedgedoc.nix
View file

@ -3,7 +3,7 @@
let
domain = "pad.jalr.de";
cfg = config.services.hedgedoc;
ports = config.networking.ports;
inherit (config.networking) ports;
in
{
sops.secrets.hedgedoc-session-secret = {

2
hosts/magnesium/services/ntfy.nix
View file

@ -3,7 +3,7 @@ let
cfg = config.services.ntfy-sh;
domain = "ntfy.jalr.de";
datadir = "/var/lib/ntfy-sh";
ports = config.networking.ports;
inherit (config.networking) ports;
in
{
# ntfy access --auth-file /var/lib/private/ntfy-sh/user.db '*' 'up*' write-only

2
hosts/magnesium/services/public-ip-tunnel.nix
View file

@ -3,7 +3,7 @@
let
listenPort = ports.wireguard-public-ip-tunnel.udp;
publicKey = "GCmQs7upvDYFueEfqD2yJkkOZg3K7YaGluWWzdjsyTo=";
ports = config.networking.ports;
inherit (config.networking) ports;
in
{
sops.secrets = lib.listToAttrs (map

2
hosts/magnesium/services/trilium.nix
View file

@ -2,7 +2,7 @@
let
domain = "notes.jalr.de";
ports = config.networking.ports;
inherit (config.networking) ports;
in
{
services.trilium-server = {

2
hosts/magnesium/services/webserver.nix
View file

@ -3,7 +3,7 @@
let
domain = "jalr.de";
matrixDomain = "matrix.jalr.de";
ports = config.networking.ports;
inherit (config.networking) ports;
in
{
networking.firewall.allowedTCPPorts = [ ports.nginx-http.tcp ports.nginx-https.tcp ];

1
hosts/weinturm-pretix-prod/configuration.nix
View file

@ -3,6 +3,7 @@
./hardware-configuration.nix
../../users/jalr
./services
./ports.nix
];
networking.hostName = "weinturm-pretix-prod";

8
hosts/weinturm-pretix-prod/ports.nix
View file

@ -1,8 +1,10 @@
{ custom-utils, ... }:
custom-utils.validatePortAttrset {
{
config.networking.ports = custom-utils.validatePortAttrset {
nginx-http.tcp = 80;
nginx-https.tcp = 443;
ports.postfix-relay.tcp = 25;
ports.postfix-submission.tcp = [ 465 ];
postfix-relay.tcp = 25;
postfix-submission.tcp = 465;
};
}

4
hosts/weinturm-pretix-prod/services/pretix.nix
View file

@ -1,8 +1,8 @@
args@{ config, lib, ... }:
{ config, lib, ... }:
let
cfg = config.services.pretix;
ports = import ../ports.nix args;
inherit (config.networking) ports;
domain = "tickets.weinturm-open-air.de";
extraDomains = [
"tickets.weinturm.jalr.de"

6
modules/networking/ports.nix
View file

@ -1,16 +1,16 @@
{lib, ...}:
{ lib, ... }:
{
options.networking.ports = with lib; with lib.types; mkOption {
type = attrsOf (types.submodule {
options = {
tcp = mkOption {
type = oneOf [ port (listOf port) (attrsOf port) (listOf (attrsOf lib.types.port)) ];
type = oneOf [ port (listOf port) (attrsOf port) ];
description = "TCP ports";
default = [ ];
};
udp = mkOption {
type = oneOf [ port (listOf port) (attrsOf port) (listOf (attrsOf lib.types.port)) ];
type = oneOf [ port (listOf port) (attrsOf port) ];
description = "UDP ports";
default = [ ];
};