{ config, ... }: let inherit (config.users) users; in { networking.firewall.enable = false; security.lockKernelModules = false; systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ]; # echo -e "$(nix eval hosts.aubergine.config.networking.nftables.ruleset)" # nft list ruleset networking.nftables = { enable = true; ruleset = '' table inet filter { chain input-lan { meta l4proto { udp, tcp } th dport domain counter accept comment "DNS" meta l4proto { udp, tcp } th dport bootps counter accept comment "DHCP" tcp dport ssh counter accept comment "SSH" udp dport 60000-61000 counter accept comment "Mosh" tcp dport 5201 counter accept comment "iperf" } chain input-net { jump check-public } chain input-intra { tcp dport ssh counter accept comment "SSH" udp dport 60000-61000 counter accept comment "Mosh" tcp dport 5201 counter accept comment "iperf" } chain output-lan { tcp dport { ssh, 2222 } counter accept comment "SSH" counter accept tcp dport 5201 counter accept comment "iperf" } chain output-net { tcp dport { ssh, 2222 } counter accept comment "SSH" udp dport 60000-61000 counter accept comment "Mosh" tcp dport { http, https } counter accept comment "HTTP" udp dport ntp skuid ${users.systemd-timesync.name} counter accept comment "NTP" tcp dport git counter accept comment "Git" tcp dport 5201 counter accept comment "iperf" } chain output-intra { tcp dport { ssh, 2222 } counter accept comment "SSH" udp dport 60001-60010 counter accept comment "Mosh" tcp dport { http, https } counter accept comment "HTTP" tcp dport git counter accept comment "git" #tcp dport 4713 counter accept comment "pulseaudio" tcp dport 5201 counter accept comment "iperf" } } ''; }; }