{ config, ... }:
let
inherit (config.users) users;
in
{
networking.firewall.enable = false;
security.lockKernelModules = false;
systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
# echo -e "$(nix eval hosts.aubergine.config.networking.nftables.ruleset)"
# nft list ruleset
networking.nftables = {
enable = true;
ruleset = ''
table inet filter {
chain input-intra {
tcp dport { ssh, 2222 } counter accept comment "SSH"
udp dport 60001-60010 counter accept comment "Mosh"
#tcp dport 4713 counter accept comment "pulseaudio"
tcp dport 5201 counter accept comment "iperf"
}
chain input-net {
}
chain output-lan {
tcp dport { ssh, 2222 } counter accept comment "SSH"
udp dport 60001-60100 counter accept comment "Mosh"
tcp dport bootps counter accept comment "DHCP"
tcp dport { 4444, 5555 } counter accept
tcp dport 5201 counter accept comment "iperf"
}
chain output-intra {
tcp dport { ssh, 2222 } counter accept comment "SSH"
udp dport 60001-60100 counter accept comment "Mosh"
tcp dport { http, https } counter accept comment "HTTP"
tcp dport git counter accept comment "Git"
tcp dport 5201 counter accept comment "iperf"
ip daddr losurdo.wg tcp dport 9091 counter accept comment "transmission"
}
chain output-net {
tcp dport { ssh, 2222 } counter accept comment "SSH"
udp dport 60001-60100 counter accept comment "Mosh"
udp dport ntp skuid ${users.systemd-timesync.name} counter accept comment "NTP"
meta l4proto { udp, tcp } skuid dnscrypt-proxy2 counter accept comment "dnscrypt-proxy2"
tcp dport { http, https } counter accept comment "HTTP"
tcp dport git counter accept comment "Git"
tcp dport imaps counter accept comment "IMAPS"
tcp dport submissions counter accept comment "SMTPS"
tcp dport { xmpp-client, 5281 } counter accept comment "XMPP"
tcp dport nntps counter accept comment "NNTPS"
tcp dport 5201 counter accept comment "iperf"
}
}
'';
};
}