From 955088a064ae9838f37cf8a318c951849ee4d9a4 Mon Sep 17 00:00:00 2001
From: Mark Nipper <nipsy@bitgnome.net>
Date: Thu, 13 Jun 2024 01:23:27 -0700
Subject: Add additional service firewall rules

---
 hosts/darkstar/default.nix  | 8 ++++++++
 hosts/darkstar/services.nix | 9 +++++++++
 2 files changed, 17 insertions(+)

(limited to 'hosts/darkstar')

diff --git a/hosts/darkstar/default.nix b/hosts/darkstar/default.nix
index 73f66fa..eb5aa11 100644
--- a/hosts/darkstar/default.nix
+++ b/hosts/darkstar/default.nix
@@ -42,6 +42,14 @@
     hostName = "darkstar";
     defaultGateway = "192.168.1.1";
     domain = "bitgnome.net";
+    firewall = {
+      allowedTCPPorts = [
+        53 # domain
+      ];
+      allowedUDPPorts = [
+        53 # domain
+      ];
+    };
     interfaces = {
       enp116s0 = {
         ipv4.addresses = [
diff --git a/hosts/darkstar/services.nix b/hosts/darkstar/services.nix
index 90face3..323080c 100644
--- a/hosts/darkstar/services.nix
+++ b/hosts/darkstar/services.nix
@@ -1,4 +1,13 @@
 {
+  networking.nftables.tables.ntp = {
+    content = ''
+      define int_if = enp116s0
+      iifname $int_if udp dport ntp accept # 123
+    '';
+    enable = true;
+    family = inet;
+  };
+
   services.chrony = {
     enable = true;
     extraConfig = ''
-- 
cgit v1.2.3