-{ pkgs, lib, config, hosts, ... }:
+{ inputs, config, ... }:
let
- inherit (builtins) hasAttr readFile;
- inherit (pkgs.lib) unlinesAttrs;
- inherit (config.users) users groups;
+ inherit (config.users) users;
in
{
-networking.firewall.enable = false;
-security.lockKernelModules = false;
-systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
-# echo -e "$(nix eval hosts.losurdo.config.networking.nftables.ruleset)"
-# nft list ruleset
-networking.nftables = {
- enable = true;
- ruleset = lib.mkBefore ''
- table inet filter {
- include "${../../../networking/nftables/filter.txt}"
- chain net2fw {
- jump check-public
- # Some .nix append rules here with: add rule inet filter net2fw ...
- }
- chain fw2net {
- tcp dport { 80, 443 } counter accept comment "HTTP"
- udp dport 123 skuid ${users.systemd-timesync.name} counter accept comment "NTP"
- tcp dport 9418 counter accept comment "Git"
-
- # Some .nix append rules here with: add rule inet filter fw2net ...
- }
- chain lan2fw {
- accept
- # Some .nix append rules here with: add rule inet filter lan2fw ...
- }
- chain fw2lan {
- accept
- # Some .nix append rules here with: add rule inet filter fw2lan ...
- }
- chain intra2fw {
- # Some .nix append rules here with: add rule inet filter intra2fw ...
- }
- chain fw2intra {
- # Some .nix append rules here with: add rule inet filter fw2intra ...
- }
-
- chain input {
- type filter hook input priority 0
- policy drop
-
- iifname lo accept
-
- jump check-tcp
- jump check-ping
- jump check-broadcast
-
- # accept traffic already established
- ct state { established, related } accept
- jump accept-connectivity-input
- jump check-broadcast
- ct state invalid drop
-
- # admin services
- tcp dport 22 counter accept comment "SSH"
- udp dport 60000-61000 counter accept comment "Mosh"
-
- # Some .nix append gotos here with: add rule inet filter input iffname ... goto ...
- }
- chain output {
- type filter hook output priority 0
- policy drop
-
- oifname lo accept
-
- ct state { established, related } accept
- jump accept-connectivity-output
-
- tcp dport 22 counter accept comment "SSH"
-
- # Some .nix append gotos here with: add rule inet filter output oifname ... goto ...
- }
- chain forward {
- type filter hook forward priority 0
- policy drop
- drop
- }
- }
- '';
-};
+ imports = [
+ (inputs.julm-nix + "/nixos/profiles/networking/nftables.nix")
+ ];
+ networking.firewall.enable = false;
+ security.lockKernelModules = false;
+ systemd.services.disable-kernel-module-loading.after = [ "nftables.service" ];
+ # sudo nft --check -f - <<<$(nix eval --raw .#nixosConfigurations.mermet.config.networking.nftables.ruleset >/tmp/nftables.txt)
+ networking.nftables = {
+ enable = true;
+ ruleset = ''
+ table inet filter {
+ chain input-lan {
+ accept
+ }
+ chain input-net {
+ #jump check-public
+ tcp dport ssh counter accept comment "SSH"
+ udp dport 60000-60100 counter accept comment "Mosh"
+ }
+ chain output-lan {
+ tcp dport ssh counter accept comment "SSH"
+ udp dport 60000-60100 counter accept comment "Mosh"
+ accept
+ }
+ chain output-net {
+ tcp dport { ssh, 2222 } counter accept comment "SSH"
+ tcp dport { http, https } counter accept comment "HTTP(S)"
+ udp dport ntp skuid ${users.systemd-timesync.name} counter accept comment "NTP"
+ tcp dport git counter accept comment "Git"
+ }
+ }
+ '';
+ };
}
sourcephile / git / sourcephile-nix.git / blobdiff