1 { pkgs, lib, config, hostName, ... }:
3 inherit (config.users) users;
6 networking.firewall.enable = false;
7 security.lockKernelModules = false;
8 systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
9 # echo -e "$(nix eval hosts.aubergine.config.networking.nftables.ruleset)"
11 networking.nftables = {
16 tcp dport { ssh, 2222 } counter accept comment "SSH"
17 udp dport 60001-60010 counter accept comment "Mosh"
23 tcp dport { ssh, 2222 } counter accept comment "SSH"
24 udp dport 60001-60100 counter accept comment "Mosh"
25 tcp dport bootps counter accept comment "DHCP"
26 tcp dport { 4444, 5555 } counter accept
29 tcp dport { ssh, 2222 } counter accept comment "SSH"
30 udp dport 60001-60100 counter accept comment "Mosh"
31 tcp dport { http, https } counter accept comment "HTTP"
32 tcp dport git counter accept comment "Git"
35 tcp dport { ssh, 2222 } counter accept comment "SSH"
36 udp dport 60001-60100 counter accept comment "Mosh"
37 udp dport ntp skuid ${users.systemd-timesync.name} counter accept comment "NTP"
38 meta l4proto { udp, tcp } skuid dnscrypt-proxy2 counter accept comment "dnscrypt-proxy2"
39 tcp dport { http, https } counter accept comment "HTTP"
40 tcp dport git counter accept comment "Git"
41 tcp dport imaps counter accept comment "IMAPS"
42 tcp dport xmpp-client counter accept comment "XMPP"
43 tcp dport nntps counter accept comment "NNTPS"