From 80e93f98b31894d69676062e4ca7391ee2f3eee1 Mon Sep 17 00:00:00 2001 From: Ittihadyya Date: Fri, 20 Dec 2024 21:23:12 +0200 Subject: [PATCH] fixed a glaring vulnerability, thank god i caught this -e --- cluster/virtualisation.mod.nix | 8 ++++++-- networking/firewall.mod.nix | 9 +++++++-- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/cluster/virtualisation.mod.nix b/cluster/virtualisation.mod.nix index 2a82fd3..872b901 100644 --- a/cluster/virtualisation.mod.nix +++ b/cluster/virtualisation.mod.nix @@ -8,14 +8,18 @@ ]; sucrose.modules = [ ( - {pkgs, config, ...}: { + { + pkgs, + config, + ... + }: { environment.systemPackages = [pkgs.podman-compose]; virtualisation = { containers.enable = true; podman = { enable = true; dockerCompat = false; - defaultNetwork.settings.dns_enabled = (config.networking.hostName == "glucose"); # TODO: fix this stupid shit ssometime -e + defaultNetwork.settings.dns_enabled = config.networking.hostName == "glucose"; # TODO: fix this stupid shit ssometime -e }; oci-containers.backend = "podman"; }; diff --git a/networking/firewall.mod.nix b/networking/firewall.mod.nix index 485fd99..3f43496 100644 --- a/networking/firewall.mod.nix +++ b/networking/firewall.mod.nix @@ -1,8 +1,13 @@ { universal.modules = [ - { + ({ networking.firewall.enable = true; networking.nftables.enable = true; + }) + ({lib, config, ...}: lib.mkIf ( + config.networking.hostName != "aspartame" # open ports for data collection on everything EXCEPT aspartame, as that would be stupid, considering it is literally public facing. TODO: set up prometheus authentication, perhaps with a certificate. -e + ) + { networking.firewall = { allowedTCPPorts = [ 6703 @@ -11,7 +16,7 @@ 6703 ]; }; - } + }) ]; fructose.modules = [