swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2026-04-14 21:29:12 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

wip: migrate client modules

Browse source
This commit is contained in:
Leon Schwarzäugl 2026-04-02 19:25:58 +02:00
parent f6d2ff1544
commit 7ce27d5d2f
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
245 changed files with 20254 additions and 188 deletions
Download patch file Download diff file Expand all files Collapse all files

75
modules-clone/nixos/server/nftables.nix Normal file
View file

@ -0,0 +1,75 @@
{ lib, config, confLib, ... }:
let
inherit (confLib.gen { name = "nftables"; }) serviceName;
in
{
options = {
swarselmodules.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
};
config = lib.mkIf config.swarselmodules.${serviceName} {
networking.nftables = {
stopRuleset = lib.mkDefault ''
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
ct state invalid drop
ct state {established, related} accept
iifname lo accept
meta l4proto ipv6-icmp accept
meta l4proto icmp accept
ip protocol igmp accept
tcp dport ${toString (lib.head config.services.openssh.ports)} accept
}
chain forward {
type filter hook forward priority filter; policy drop;
}
chain output {
type filter hook output priority filter; policy accept;
}
}
'';
firewall = {
enable = true;
localZoneName = "local";
snippets = {
nnf-common.enable = false;
nnf-conntrack.enable = true;
nnf-drop.enable = true;
nnf-loopback.enable = true;
nnf-ssh.enable = true;
nnf-dhcpv6.enable = true;
};
rules.untrusted-to-local = {
from = [ "untrusted" ];
to = [ "local" ];
inherit (config.networking.firewall)
allowedTCPPorts
allowedTCPPortRanges
allowedUDPPorts
allowedUDPPortRanges
;
};
rules.icmp-and-igmp = {
after = [
"ct"
"ssh"
];
from = "all";
to = [ "local" ];
extraLines = [
"meta l4proto ipv6-icmp accept"
"meta l4proto icmp accept"
"ip protocol igmp accept"
];
};
};
};
};
}