diff options
Diffstat (limited to '')
-rw-r--r-- | hosts/arrakis/default.nix | 60 |
1 files changed, 40 insertions, 20 deletions
diff --git a/hosts/arrakis/default.nix b/hosts/arrakis/default.nix index cb74fd9..073f2a0 100644 --- a/hosts/arrakis/default.nix +++ b/hosts/arrakis/default.nix @@ -82,30 +82,50 @@ defaultSopsFile = ../secrets/arrakis.yaml; secrets = { + "nftables/ssh" = {}; "wpa_supplicant" = {}; }; }; system.stateVersion = "23.11"; - #systemd.services."nftables-extra" = { - # description = "nftables extra firewall rules"; - # script = '' - # ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path} - # ''; - # serviceConfig = { - # RemainAfterExit = true; - # Type = "oneshot"; - # }; - # unitConfig = { - # ConditionPathExists = config.sops.secrets."nftables/ssh".path; - # }; - # wantedBy = [ "multi-user.target" ]; - #}; - #systemd.paths."nftables-extra" = { - # pathConfig = { - # PathExists = config.sops.secrets."nftables/ssh".path; - # }; - # wantedBy = [ "multi-user.target" ]; - #}; + systemd.services."nftables-extra" = { + description = "nftables extra firewall rules"; + script = '' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport { http, https } counter accept # 80, 443' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport { netbios-ns, netbios-dgm } counter accept # 137, 138' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport { netbios-ssn, microsoft-ds } counter accept # 139, 445' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport 2049 counter accept' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport { 2456, 2457 } counter accept # Valheim dedicated server' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport 5121 counter accept # Neverwinter Nights Server' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport { 7878, 8080, 8686, 8787, 8989 } counter accept # Radarr, Sabnzb, Lidarr, Sonarr, Readarr' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport 15637 counter accept # Enshrouded' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" ip saddr 192.168.1.0/24 udp dport { 27031, 27036 } counter accept # Steam Remote Play' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" ip saddr 192.168.1.0/24 tcp dport { 27036, 27037 } counter accept # Steam Remote Play' + ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport 51820 counter accept # WireGuard' + ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path} + ''; + serviceConfig = { + RemainAfterExit = true; + Type = "oneshot"; + }; + unitConfig = { + ConditionPathExists = [ + config.sops.secrets."nftables/forward".path + config.sops.secrets."nftables/ssh".path + ]; + }; + wantedBy = [ "multi-user.target" ]; + after = [ "nftables.service" ]; + partOf = [ "nftables.service" ]; + }; + systemd.paths."nftables-extra" = { + pathConfig = { + PathExists = [ + config.sops.secrets."nftables/forward".path + config.sops.secrets."nftables/ssh".path + ]; + }; + wantedBy = [ "multi-user.target" ]; + }; } |