hosts/mermet/networking/nftables.nix

   1 { inputs, pkgs, lib, config, hosts, ... }:
   2 let
   3   inherit (config.users) users;
   4 in
   5 {
   6 imports = [
   7   (inputs.julm-nix + "/nixos/profiles/networking/nftables.nix")
   8 ];
   9 networking.firewall.enable = false;
  10 security.lockKernelModules = false;
  11 systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
  12 # sudo nft --check -f - <<<$(nix eval --raw .#nixosConfigurations.mermet.config.networking.nftables.ruleset >/tmp/nftables.txt)
  13 networking.nftables = {
  14   enable = true;
  15   ruleset = ''
  16     table inet filter {
  17       chain input-lan {
  18         accept
  19       }
  20       chain input-net {
  21         #jump check-public
  22         tcp dport ssh counter accept comment "SSH"
  23         udp dport 60000-60100 counter accept comment "Mosh"
  24       }
  25       chain output-lan {
  26         tcp dport ssh counter accept comment "SSH"
  27         udp dport 60000-60100 counter accept comment "Mosh"
  28         accept
  29       }
  30       chain output-net {
  31         tcp dport { ssh, 2222 } counter accept comment "SSH"
  32         tcp dport { http, https } counter accept comment "HTTP(S)"
  33         udp dport ntp skuid ${users.systemd-timesync.name} counter accept comment "NTP"
  34         tcp dport git counter accept comment "Git"
  35       }
  36     }
  37   '';
  38 };
  39 }