1 { pkgs, lib, config, machines, ... }:
3 inherit (builtins) hasAttr readFile;
4 inherit (pkgs.lib) unlinesAttrs;
5 inherit (config.users) users groups;
8 networking.firewall.enable = false;
9 security.lockKernelModules = false;
10 systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
11 # echo -e "$(nix eval machines.losurdo.config.networking.nftables.ruleset)"
13 networking.nftables = {
15 ruleset = lib.mkBefore ''
17 include "${../../../var/nftables/filter.txt}"
20 # Some .nix append rules here with: add rule inet filter net2fw ...
23 tcp dport { 80, 443 } counter accept comment "HTTP"
24 udp dport 123 skuid ${users.systemd-timesync.name} counter accept comment "NTP"
25 tcp dport 9418 counter accept comment "Git"
27 # Some .nix append rules here with: add rule inet filter fw2net ...
31 # Some .nix append rules here with: add rule inet filter lan2fw ...
35 # Some .nix append rules here with: add rule inet filter fw2lan ...
38 # Some .nix append rules here with: add rule inet filter intra2fw ...
41 # Some .nix append rules here with: add rule inet filter fw2intra ...
45 type filter hook input priority 0
54 # accept traffic already established
55 ct state { established, related } accept
56 jump accept-connectivity-input
61 tcp dport 22 counter accept comment "SSH"
62 udp dport 60000-61000 counter accept comment "Mosh"
64 # Some .nix append gotos here with: add rule inet filter input iffname ... goto ...
67 type filter hook output priority 0
72 ct state { established, related } accept
73 jump accept-connectivity-output
75 tcp dport 22 counter accept comment "SSH"
77 # Some .nix append gotos here with: add rule inet filter output oifname ... goto ...
80 type filter hook forward priority 0