install: delete 7 days old systems

[julm/julm-nix.git] / hosts / aubergine / hostapd.nix

diff --git a/hosts/aubergine/hostapd.nix b/hosts/aubergine/hostapd.nix
index 8f6d08cc67d8505e9273aa9126a2b5edbd890374..692dc88f67f248c9b8f8f4b90c123d237831cf77 100644 (file)
--- a/hosts/aubergine/hostapd.nix
+++ b/hosts/aubergine/hostapd.nix
@@ -15,21 +15,29 @@ networking.interfaces.${iface} = {
 #boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
 boot.kernel.sysctl."net.ipv6.conf.${iface}.addr_gen_mode" = 1;
 networking.nftables.ruleset = ''
-  add chain inet filter wifi2fw
-  add chain inet filter fw2wifi
-  add rule inet filter input iifname "${iface}" goto wifi2fw
-  add rule inet filter output oifname "${iface}" goto fw2wifi
-
-  # ${iface} firewalling
-  add rule inet filter fw2wifi counter accept
+  table inet filter {
+    chain input-wifi {
+      meta l4proto { udp, tcp } th dport domain counter accept comment "DNS"
+      tcp dport bootps counter accept comment "DHCP"
+    }
+    chain input {
+      iifname ${iface} jump input-wifi
+      iifname ${iface} log level warn prefix "input-wifi: " counter drop
+    }
 
-  # Allow forwarding to the internet
-  add rule inet filter forward iifname "${iface}" oifname "${gateway}" counter accept
-  add rule inet filter forward iifname "${gateway}" oifname "${iface}" counter accept
+    chain output-wifi {
+      counter accept
+    }
+    chain output {
+      oifname ${iface} jump output-wifi
+      oifname ${iface} log level warn prefix "output-wifi: " counter drop
+    }
 
-  # Allow networking services
-  add rule inet filter wifi2fw meta l4proto { udp, tcp } th dport 53 counter accept comment "DNS"
-  add rule inet filter wifi2fw tcp dport 67 counter accept comment "DHCP"
+    chain forward {
+      iifname ${iface} oifname ${gateway} counter accept
+      iifname ${gateway} oifname ${iface} counter accept
+    }
+  }
 '';
 
 services.unbound.settings = {