hosts/losurdo/networking/nftables.nix

   1 { inputs, pkgs, lib, config, ... }:
   2 let
   3   inherit (builtins) hasAttr readFile;
   4   inherit (pkgs.lib) unlinesAttrs;
   5   inherit (config) networking;
   6   inherit (config.users) users groups;
   7 in
   8 {
   9 imports = [
  10   (inputs.julm-nix + "/nixos/profiles/networking/nftables.nix")
  11 ];
  12 networking.firewall.enable = false;
  13 systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
  14 systemd.services.nftables.serviceConfig.TimeoutStartSec = "20";
  15 networking.nftables = {
  16   enable = true;
  17   ruleset = ''
  18     table inet filter {
  19       chain input-net {
  20         #udp dport mdns ip6 daddr ff02::fb counter accept comment "Accept mDNS"
  21         #udp dport mdns ip daddr 224.0.0.251 counter accept comment "Accept mDNS"
  22         tcp dport ssh counter accept comment "SSH"
  23         udp dport 60000-61000 counter accept comment "Mosh"
  24       }
  25       chain output-net {
  26         tcp dport { ssh, 2222 } counter accept comment "SSH"
  27         tcp dport { http, https } counter accept comment "HTTP"
  28         udp dport ntp skuid ${users.systemd-timesync.name} counter accept comment "NTP"
  29         tcp dport 1965 counter accept comment "Gemini"
  30         tcp dport git counter accept comment "Git"
  31       }
  32       chain forward {
  33         ct state { related, established } accept
  34         jump output-connectivity
  35       }
  36     }
  37   '';
  38 };
  39 }