aboutsummaryrefslogtreecommitdiffstats
path: root/hosts/arrakis/default.nix
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--hosts/arrakis/default.nix60
1 files changed, 40 insertions, 20 deletions
diff --git a/hosts/arrakis/default.nix b/hosts/arrakis/default.nix
index cb74fd9..073f2a0 100644
--- a/hosts/arrakis/default.nix
+++ b/hosts/arrakis/default.nix
@@ -82,30 +82,50 @@
defaultSopsFile = ../secrets/arrakis.yaml;
secrets = {
+ "nftables/ssh" = {};
"wpa_supplicant" = {};
};
};
system.stateVersion = "23.11";
- #systemd.services."nftables-extra" = {
- # description = "nftables extra firewall rules";
- # script = ''
- # ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path}
- # '';
- # serviceConfig = {
- # RemainAfterExit = true;
- # Type = "oneshot";
- # };
- # unitConfig = {
- # ConditionPathExists = config.sops.secrets."nftables/ssh".path;
- # };
- # wantedBy = [ "multi-user.target" ];
- #};
- #systemd.paths."nftables-extra" = {
- # pathConfig = {
- # PathExists = config.sops.secrets."nftables/ssh".path;
- # };
- # wantedBy = [ "multi-user.target" ];
- #};
+ systemd.services."nftables-extra" = {
+ description = "nftables extra firewall rules";
+ script = ''
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport { http, https } counter accept # 80, 443'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport { netbios-ns, netbios-dgm } counter accept # 137, 138'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport { netbios-ssn, microsoft-ds } counter accept # 139, 445'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport 2049 counter accept'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport { 2456, 2457 } counter accept # Valheim dedicated server'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport 5121 counter accept # Neverwinter Nights Server'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" tcp dport { 7878, 8080, 8686, 8787, 8989 } counter accept # Radarr, Sabnzb, Lidarr, Sonarr, Readarr'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport 15637 counter accept # Enshrouded'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" ip saddr 192.168.1.0/24 udp dport { 27031, 27036 } counter accept # Steam Remote Play'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" ip saddr 192.168.1.0/24 tcp dport { 27036, 27037 } counter accept # Steam Remote Play'
+ ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "wlp5s0" udp dport 51820 counter accept # WireGuard'
+ ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path}
+ '';
+ serviceConfig = {
+ RemainAfterExit = true;
+ Type = "oneshot";
+ };
+ unitConfig = {
+ ConditionPathExists = [
+ config.sops.secrets."nftables/forward".path
+ config.sops.secrets."nftables/ssh".path
+ ];
+ };
+ wantedBy = [ "multi-user.target" ];
+ after = [ "nftables.service" ];
+ partOf = [ "nftables.service" ];
+ };
+ systemd.paths."nftables-extra" = {
+ pathConfig = {
+ PathExists = [
+ config.sops.secrets."nftables/forward".path
+ config.sops.secrets."nftables/ssh".path
+ ];
+ };
+ wantedBy = [ "multi-user.target" ];
+ };
}