-{ pkgs, lib, config, hosts, ... }:
+{ config, ... }:
let
inherit (config.users) users;
in
{
-networking.firewall.enable = false;
-security.lockKernelModules = false;
-systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
-# echo -e "$(nix eval hosts.aubergine.config.networking.nftables.ruleset)"
-# nft list ruleset
-networking.nftables = {
- enable = true;
- ruleset = ''
- table inet filter {
- chain input-lan {
- meta l4proto { udp, tcp } th dport domain counter accept comment "DNS"
- meta l4proto { udp, tcp } th dport bootps counter accept comment "DHCP"
- tcp dport ssh counter accept comment "SSH"
- udp dport 60000-61000 counter accept comment "Mosh"
- tcp dport 5201 counter accept comment "iperf"
- }
- chain input-net {
- jump check-public
- }
- chain input-intra {
- tcp dport ssh counter accept comment "SSH"
- udp dport 60000-61000 counter accept comment "Mosh"
- tcp dport 5201 counter accept comment "iperf"
- }
+ networking.firewall.enable = false;
+ security.lockKernelModules = false;
+ systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
+ # echo -e "$(nix eval hosts.aubergine.config.networking.nftables.ruleset)"
+ # nft list ruleset
+ networking.nftables = {
+ enable = true;
+ ruleset = ''
+ table inet filter {
+ chain input-lan {
+ meta l4proto { udp, tcp } th dport domain counter accept comment "DNS"
+ meta l4proto { udp, tcp } th dport bootps counter accept comment "DHCP"
+ tcp dport ssh counter accept comment "SSH"
+ udp dport 60000-61000 counter accept comment "Mosh"
+ tcp dport 5201 counter accept comment "iperf"
+ }
+ chain input-net {
+ jump check-public
+ }
+ chain input-intra {
+ tcp dport ssh counter accept comment "SSH"
+ udp dport 60000-61000 counter accept comment "Mosh"
+ tcp dport 5201 counter accept comment "iperf"
+ }
- chain output-lan {
- tcp dport { ssh, 2222 } counter accept comment "SSH"
- counter accept
- tcp dport 5201 counter accept comment "iperf"
- }
- chain output-net {
- tcp dport { ssh, 2222 } counter accept comment "SSH"
- udp dport 60000-61000 counter accept comment "Mosh"
- tcp dport { http, https } counter accept comment "HTTP"
- udp dport ntp skuid ${users.systemd-timesync.name} counter accept comment "NTP"
- meta l4proto { udp, tcp } skuid dnscrypt-proxy2 counter accept comment "dnscrypt-proxy2"
- tcp dport git counter accept comment "Git"
- tcp dport 5201 counter accept comment "iperf"
- }
- chain output-intra {
- tcp dport { ssh, 2222 } counter accept comment "SSH"
- udp dport 60001-60010 counter accept comment "Mosh"
- tcp dport { http, https } counter accept comment "HTTP"
- tcp dport git counter accept comment "git"
- #tcp dport 4713 counter accept comment "pulseaudio"
- tcp dport 5201 counter accept comment "iperf"
+ chain output-lan {
+ tcp dport { ssh, 2222 } counter accept comment "SSH"
+ counter accept
+ tcp dport 5201 counter accept comment "iperf"
+ }
+ chain output-net {
+ tcp dport { ssh, 2222 } counter accept comment "SSH"
+ udp dport 60000-61000 counter accept comment "Mosh"
+ tcp dport { http, https } counter accept comment "HTTP"
+ udp dport ntp skuid ${users.systemd-timesync.name} counter accept comment "NTP"
+ meta l4proto { udp, tcp } skuid dnscrypt-proxy2 counter accept comment "dnscrypt-proxy2"
+ tcp dport git counter accept comment "Git"
+ tcp dport 5201 counter accept comment "iperf"
+ }
+ chain output-intra {
+ tcp dport { ssh, 2222 } counter accept comment "SSH"
+ udp dport 60001-60010 counter accept comment "Mosh"
+ tcp dport { http, https } counter accept comment "HTTP"
+ tcp dport git counter accept comment "git"
+ #tcp dport 4713 counter accept comment "pulseaudio"
+ tcp dport 5201 counter accept comment "iperf"
+ }
}
- }
- '';
-};
+ '';
+ };
}