1 files changed, 32 insertions, 0 deletions

diff --git a/hosts/caladan/default.nix b/hosts/caladan/default.nix
index 1401dee..40188a2 100644
--- a/hosts/caladan/default.nix
+++ b/hosts/caladan/default.nix
@@ -128,6 +128,7 @@
     defaultSopsFile = ../secrets/caladan.yaml;
 
     secrets = {
+      "nftables/ssh" = {};
       "nix-access-token-github" = {};
       "ssh_config".path = "/root/.ssh/config";
       "wpa_supplicant" = {};
@@ -135,4 +136,35 @@
   };
 
   system.stateVersion = "23.11";
+
+  systemd.services = {
+
+    "nftables-extra" = let rules_script = ''
+        ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" udp dport { 2456, 2457 } counter accept # Valheim dedicated server'
+        ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" udp dport 5121 counter accept # Neverwinter Nights Server'
+        ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" udp dport 15637 counter accept # Enshrouded'
+        ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" ip saddr 192.168.1.0/24 udp dport { 27031, 27036 } counter accept # Steam Remote Play'
+        ${pkgs.nftables}/bin/nft insert rule inet nixos-fw input 'iifname "enp6s0" ip saddr 192.168.1.0/24 tcp dport { 27036, 27037 } counter accept # Steam Remote Play'
+        ${pkgs.nftables}/bin/nft -f ${config.sops.secrets."nftables/ssh".path}
+      ''; in {
+        description = "nftables extra firewall rules";
+        reload = rules_script;
+        script = rules_script;
+        serviceConfig = {
+          RemainAfterExit = true;
+          Type = "oneshot";
+        };
+        unitConfig = {
+          ConditionPathExists = [
+            config.sops.secrets."nftables/ssh".path
+          ];
+          ReloadPropagatedFrom = "nftables.service";
+        };
+        wantedBy = [ "multi-user.target" ];
+        after = [ "nftables.service" ];
+        partOf = [ "nftables.service" ];
+    };
+
+  };
+
 }