refactor: split "real" modules and "config" modules

2024-05-25 17:56:30 +02:00 · 2024-05-25 17:56:30 +02:00 · cceae6c63c
commit cceae6c63c
parent 045f15239a
60 changed files with 126 additions and 113 deletions
--- a/config/nftables.nix
+++ b/config/nftables.nix
@ -0,0 +1,58 @@
+{
+  config,
+  lib,
+  ...
+}: {
+  networking.nftables = {
+    stopRuleset = lib.mkDefault ''
+      table inet filter {
+        chain input {
+          type filter hook input priority filter; policy drop;
+          ct state invalid drop
+          ct state {established, related} accept
+
+          iifname lo accept
+          meta l4proto ipv6-icmp accept
+          meta l4proto icmp accept
+          tcp dport ${toString (lib.head config.services.openssh.ports)} accept
+        }
+        chain forward {
+          type filter hook forward priority filter; policy drop;
+        }
+        chain output {
+          type filter hook output priority filter; policy accept;
+        }
+      }
+    '';
+
+    firewall = {
+      enable = true;
+      localZoneName = "local";
+      snippets = {
+        nnf-common.enable = false;
+        nnf-conntrack.enable = true;
+        nnf-drop.enable = true;
+        nnf-loopback.enable = true;
+        nnf-ssh.enable = true;
+        nnf-icmp = {
+          enable = true;
+          ipv6Types = ["echo-request" "destination-unreachable" "packet-too-big" "time-exceeded" "parameter-problem" "nd-router-advert" "nd-neighbor-solicit" "nd-neighbor-advert"];
+          ipv4Types = ["echo-request" "destination-unreachable" "router-advertisement" "time-exceeded" "parameter-problem"];
+        };
+      };
+
+      rules.untrusted-to-local = {
+        from = ["untrusted"];
+        to = ["local"];
+
+        inherit
+          (config.networking.firewall)
+          allowedTCPPorts
+          allowedTCPPortRanges
+          allowedUDPPorts
+          allowedUDPPortRanges
+          ;
+      };
+    };
+  };
+}