From: Julien Moutinho <julm+julm-nix@sourcephile.fr>
Date: Tue, 22 Jul 2025 23:24:44 +0000 (+0200)
Subject: kubo: add profile
X-Git-Url: https://git.sourcephile.fr/julm/julm-nix.git/commitdiff_plain

kubo: add profile
---

diff --git a/hosts/pumpkin.nix b/hosts/pumpkin.nix
index 8a74ca9..5bfbc78 100644
--- a/hosts/pumpkin.nix
+++ b/hosts/pumpkin.nix
@@ -57,6 +57,7 @@
       "wireshark"
       #"ipfs"
       config.services.davfs2.davGroup
+      config.services.kubo.group
       #"vboxusers"
     ];
     # If created, zfs-mount.service would require:
@@ -190,22 +191,6 @@
       */
     };
 
-  services.kubo = {
-    #enable = true;
-    defaultMode = "online";
-    autoMount = true;
-    enableGC = true;
-    localDiscovery = false;
-    settings = {
-      Datastore.StorageMax = "10GB";
-      Discovery.MDNS.Enabled = false;
-      #Bootstrap = [
-      #];
-      #Swarm.AddrFilters = null;
-    };
-    startWhenNeeded = true;
-  };
-
   services.udev.packages = [
     # Allow the console user access the Yubikey USB device node,
     # needed for challenge/response to work correctly.
diff --git a/hosts/pumpkin/networking.nix b/hosts/pumpkin/networking.nix
index d6cfd4c..74efcef 100644
--- a/hosts/pumpkin/networking.nix
+++ b/hosts/pumpkin/networking.nix
@@ -4,6 +4,7 @@
     ../../nixos/profiles/dnscrypt-proxy2.nix
     ../../nixos/profiles/networking/ssh.nix
     ../../nixos/profiles/networking/wifi.nix
+    ../../nixos/profiles/kubo.nix
     #../../nixos/profiles/openvpn/calyx.nix
     networking/nftables.nix
   ];
diff --git a/nixos/profiles/kubo.nix b/nixos/profiles/kubo.nix
new file mode 100644
index 0000000..874610f
--- /dev/null
+++ b/nixos/profiles/kubo.nix
@@ -0,0 +1,33 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+{
+  services.kubo = {
+    enable = true;
+    defaultMode = "online";
+    autoMount = true;
+    enableGC = true;
+    localDiscovery = false;
+    settings = {
+      Datastore.StorageMax = "10GB";
+      Discovery.MDNS.Enabled = false;
+      #Bootstrap = [
+      #];
+      #Swarm.AddrFilters = null;
+    };
+    startWhenNeeded = true;
+  };
+  networking.nftables.ruleset = ''
+    table inet filter {
+      chain input-net {
+        meta l4proto { udp, tcp } th sport 4001 counter accept comment "kubo: IPFS libp2p swarm"
+      }
+      chain output-net {
+        meta l4proto { udp, tcp } th dport 4001 skuid ${toString config.services.kubo.user} counter accept comment "kubo: IPFS libp2p swarm"
+      }
+    }
+  '';
+}