diff --git a/env/azure/config.nix b/env/azure/config.nix index a1efae6..b6e8e39 100644 --- a/env/azure/config.nix +++ b/env/azure/config.nix @@ -21,18 +21,44 @@ }; }; - interfaces = { + interfaces = let + rules = { + ssh_allow = { + direction = "Inbound"; + description = "Allow SSH"; + access = "Allow"; + protocol = "TCP"; + source_port_range = "0"; + source_address_prefix = "*"; + destination_port_range = "22"; + destination_address_prefix = "*"; + }; + allow_all = { + direction = "Inbound"; + description = "Allow All (Production Unsafe)"; + access = "Allow"; + protocol = "Tcp"; + source_port_range = "*"; + source_address_prefix = "*"; + destination_port_range = "*"; + destination_address_prefix = "*"; + }; + }; + in { c2r1 = { + inherit rules; network = "test"; subnetwork = "n1"; tags = { description = "mainly c2r1 interface"; }; }; c2r2 = { + inherit rules; network = "test"; subnetwork = "n1"; tags = { description = "mainly c2r2 interface"; }; }; c2r3 = { + inherit rules; network = "test"; subnetwork = "n1"; tags = { description = "mainly c2r3 interface"; }; diff --git a/flake.nix b/flake.nix index e688cbe..0fb5cc9 100644 --- a/flake.nix +++ b/flake.nix @@ -82,6 +82,7 @@ scripts/terranix-apply.sh "libvirt" ${libvirtConfig} ''); }; + # nix run ".#apply-gcp" apply-gcp = { type = "app"; diff --git a/provision/azure/default.nix b/provision/azure/default.nix index 267cb12..626dd0b 100644 --- a/provision/azure/default.nix +++ b/provision/azure/default.nix @@ -48,6 +48,28 @@ in { tags = mk' (attrsOf str) { "image" = cfg.image; } "tags"; network = mk' str "default" "network interface used"; subnetwork = mk' str "n1" "subnetwork interface used"; + rules = mk' (attrsOf rulesModule) { } "rules options"; + }; + }); + + rulesModule = submodule ({ config, name, ... }: { + options = { + group = mk' str azure.group "resource group"; + location = mk' str azure.location "location of image"; + name = mk' str name "name of rule"; + priority = mk' int 0 + "rule priority (if priority <= 0, this is setted to auto)"; + tags = mk' (attrsOf str) { "image" = cfg.image; } "tags"; + direction = + mk' (enum [ "Inbound" "Outbound" ]) "Inbound" "direction of rule"; + access = mk' (enum [ "Allow" "Deny" ]) "Allow" "access"; + protocol = mk' (enum [ "Tcp" "Udp" "Icmp" "Esp" "Ah" "*" ]) "Tcp" + "protocol of rule"; + description = mk' str "" "description"; + source_port_range = mk' str "*" "source port range"; + source_address_prefix = mk' str "*" "source address prefix"; + destination_port_range = mk' str "*" "destination port range"; + destination_address_prefix = mk' str "*" "destination address prefix"; }; }); @@ -240,6 +262,40 @@ in { }; }); + azurerm_network_security_group = attrsMap interfaces (name: { + ${name} = with interfaces.${name}; + let inherit (pkgs.lib) foldl'; + in { + inherit name location tags; + resource_group_name = group; + security_rule = listMap rules (id: name: + with rules.${name}; + let priority_ = if priority > 0 then priority else (id + 100); + in { + inherit name description direction access protocol + destination_address_prefix source_address_prefix; + priority = priority_; + source_port_range = "*"; + destination_port_range = "*"; + source_port_ranges = [ ]; + destination_port_ranges = [ ]; + destination_application_security_group_ids = [ ]; + source_application_security_group_ids = [ ]; + source_address_prefixes = [ ]; + destination_address_prefixes = [ ]; + }); + }; + }); + + azurerm_network_interface_security_group_association = attrsMap interfaces + (name: { + ${name} = with interfaces.${name}; { + network_interface_id = "\${ azurerm_network_interface.${name}.id }"; + network_security_group_id = + "\${ azurerm_network_security_group.${name}.id }"; + }; + }); + azurerm_virtual_machine = attrsMap replicas (name: with replicas.${name}; let inherit (replicas.${name}) interfaces;