]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/carotte/nftables.nix
losurdo: docker: enable service
[sourcephile-nix.git] / hosts / carotte / nftables.nix
1 { inputs, pkgs, lib, config, ... }:
2 let
3 inherit (config) networking;
4 inherit (config.users) users;
5 in
6 {
7 imports = [
8 (inputs.julm-nix + "/nixos/profiles/networking/nftables.nix")
9 ];
10 networking.firewall.enable = false;
11 systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
12 systemd.services.nftables.serviceConfig.TimeoutStartSec = "20";
13 networking.nftables = {
14 enable = true;
15 ruleset = ''
16 table inet filter {
17 chain input-net {
18 #udp dport mdns ip6 daddr ff02::fb counter accept comment "Accept mDNS"
19 #udp dport mdns ip daddr 224.0.0.251 counter accept comment "Accept mDNS"
20 tcp dport ssh counter accept comment "SSH"
21 udp dport 60000-61000 counter accept comment "Mosh"
22 }
23 chain output-net {
24 tcp dport { ssh, 2222 } counter accept comment "SSH"
25 tcp dport { http, https } counter accept comment "HTTP"
26 udp dport ntp skuid ${users.systemd-timesync.name} counter accept comment "NTP"
27 tcp dport 1965 counter accept comment "Gemini"
28 tcp dport git counter accept comment "Git"
29 }
30 chain forward {
31 ct state { related, established } accept
32 jump output-connectivity
33 }
34 }
35 '';
36 };
37 }