Pin niroco to port 55184 and open it to incoming VPN traffic

By default, niroco allocates an ephemeral server port, which cannot be
effectively firewalled. We can force it to use a specific port with an
INI fragment installed to /usr/share/niroco.d, so that _firewall_config.py can
allow incoming traffic to that port.

We choose port 55184 more or less entirely arbitrarily, but placing it firmly in
the ephemeral range more or less demands that this cannot be the long-term
static port decision.

Signed-off-by: Richard Tollerton <[email protected]>

Makefile

@@ -99,6 +99,11 @@ install : all mkinstalldirs $(DIST_FILES)
 		src/ni-wireguard-labview/ni-wireguard-labview.initd \
 		"$(DESTDIR)/etc/init.d/ni-wireguard-labview"
 
+	# firewall configuration pieces
+	install --mode=0644 \
+		src/x-niroco-static-port.ini \
+		"$(DESTDIR)/usr/share/niroco.d"
+
 	# install python library
 	for pyfile in $(PYNILRT_SNAC_FILES); do \
 		install -D "$${pyfile}" "$(DESTDIR)$(libdir)/$(PACKAGE)/$${pyfile}"; \
@@ -121,6 +126,7 @@ mkinstalldirs :
 	mkdir -p "$(DESTDIR)$(docdir)/$(PACKAGE)"
 	mkdir -p "$(DESTDIR)$(libdir)/$(PACKAGE)"
 	mkdir -p "$(DESTDIR)$(sbindir)"
+	mkdir -p "$(DESTDIR)/usr/share/niroco.d"
 
 
 uninstall :

nilrt_snac/_configs/_firewall_config.py

@@ -103,6 +103,10 @@ def configure(self, args: argparse.Namespace) -> None:
                     "--add-service=ni-rpc-server",
                     "--add-service=ni-service-locator",
                     )
+        _offlinecmd("--policy=work-in",
+                    # Temporary port add; see x-niroco-static-port.ini
+                    "--add-port=55184/tcp",
+                    )
         _offlinecmd("--policy=work-out",
                     "--add-service=amqp",
                     "--add-service=salt-master",

src/x-niroco-static-port.ini

@@ -0,0 +1,2 @@
+[RemoteServer]
+port=55184