]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/networking/nftables.nix
losurdo: docker: enable service
[sourcephile-nix.git] / hosts / mermet / networking / nftables.nix
1 { inputs, config, ... }:
2 let
3 inherit (config.users) users;
4 in
5 {
6 imports = [
7 (inputs.julm-nix + "/nixos/profiles/networking/nftables.nix")
8 ];
9 networking.firewall.enable = false;
10 security.lockKernelModules = false;
11 systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
12 # sudo nft --check -f - <<<$(nix eval --raw .#nixosConfigurations.mermet.config.networking.nftables.ruleset >/tmp/nftables.txt)
13 networking.nftables = {
14 enable = true;
15 ruleset = ''
16 table inet filter {
17 chain input-lan {
18 accept
19 }
20 chain input-net {
21 #jump check-public
22 tcp dport ssh counter accept comment "SSH"
23 udp dport 60000-60100 counter accept comment "Mosh"
24 }
25 chain output-lan {
26 tcp dport ssh counter accept comment "SSH"
27 udp dport 60000-60100 counter accept comment "Mosh"
28 accept
29 }
30 chain output-net {
31 tcp dport { ssh, 2222 } counter accept comment "SSH"
32 tcp dport { http, https } counter accept comment "HTTP(S)"
33 udp dport ntp skuid ${users.systemd-timesync.name} counter accept comment "NTP"
34 tcp dport git counter accept comment "Git"
35 }
36 }
37 '';
38 };
39 }