{ config, ... }: let inherit (config.users) users; in { networking.firewall.enable = false; security.lockKernelModules = false; systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ]; # echo -e "$(nix eval hosts.aubergine.config.networking.nftables.ruleset)" # nft list ruleset networking.nftables = { enable = true; ruleset = '' table inet filter { chain input-intra { tcp dport { ssh, 2222 } counter accept comment "SSH" udp dport 60001-60010 counter accept comment "Mosh" #tcp dport 4713 counter accept comment "pulseaudio" tcp dport 5201 counter accept comment "iperf" } chain input-net { } chain output-lan { tcp dport { ssh, 2222 } counter accept comment "SSH" udp dport 60001-60100 counter accept comment "Mosh" tcp dport bootps counter accept comment "DHCP" tcp dport { 4444, 5555 } counter accept tcp dport 5201 counter accept comment "iperf" } chain output-intra { tcp dport { ssh, 2222 } counter accept comment "SSH" udp dport 60001-60100 counter accept comment "Mosh" tcp dport { http, https } counter accept comment "HTTP" tcp dport git counter accept comment "Git" tcp dport 5201 counter accept comment "iperf" ip daddr losurdo.wg tcp dport 9091 counter accept comment "transmission" } chain output-net { tcp dport { ssh, 2222 } counter accept comment "SSH" udp dport 60001-60100 counter accept comment "Mosh" udp dport ntp skuid ${users.systemd-timesync.name} counter accept comment "NTP" meta l4proto { udp, tcp } skuid dnscrypt-proxy2 counter accept comment "dnscrypt-proxy2" tcp dport { http, https } counter accept comment "HTTP" tcp dport git counter accept comment "Git" tcp dport imaps counter accept comment "IMAPS" tcp dport submissions counter accept comment "SMTPS" tcp dport { xmpp-client, 5281 } counter accept comment "XMPP" tcp dport nntps counter accept comment "NNTPS" tcp dport 5201 counter accept comment "iperf" } } ''; }; }