nix: tweak nix-daemon and nix-gc schedulings

[julm/julm-nix.git] / hosts / oignon / networking / nftables.nix

diff --git a/hosts/oignon/networking/nftables.nix b/hosts/oignon/networking/nftables.nix
index fa4de1d6639b06b6fa055875f22fe0237c288650..0de752fe1fbe4c575fe8586d929cf67c7a395afe 100644 (file)
--- a/hosts/oignon/networking/nftables.nix
+++ b/hosts/oignon/networking/nftables.nix
@@ -10,6 +10,10 @@ in
   # nft list ruleset
   networking.nftables = {
     enable = true;
+    preCheckRuleset = ''
+      sed -i ruleset.conf \
+        -e 's/ip daddr losurdo.wg//'
+    '';
     ruleset = ''
       table inet filter {
         chain input-intra {
@@ -37,7 +41,7 @@ in
           ip daddr losurdo.wg tcp dport 9091 counter accept comment "transmission"
         }
         chain output-net {
-          tcp dport { ssh, 2222 } counter accept comment "SSH"
+          tcp dport { ssh, 2222, 20022 } counter accept comment "SSH"
           udp dport 60001-60100 counter accept comment "Mosh"
           udp dport ntp skuid ${users.systemd-timesync.name} counter accept comment "NTP"
           meta l4proto { udp, tcp } skuid dnscrypt-proxy2 counter accept comment "dnscrypt-proxy2"
@@ -45,7 +49,9 @@ in
           tcp dport git counter accept comment "Git"
           tcp dport imaps counter accept comment "IMAPS"
           tcp dport submissions counter accept comment "SMTPS"
-          tcp dport { xmpp-client, 5281 } counter accept comment "XMPP"
+          tcp dport xmpp-client counter accept comment "XMPP client"
+          tcp dport 5223 counter accept comment "XMPP client direct TLS"
+          tcp dport 5281 counter accept comment "XMPP HTTPS"
           tcp dport nntps counter accept comment "NNTPS"
           tcp dport 5201 counter accept comment "iperf"
         }