sora/nixconfig
1
0
Fork 1
Code Issues 2 Pull Requests Actions Releases Activity

WIP

Browse Source
This commit is contained in:
soraefir
2026-05-08 20:22:04 +02:00
parent d3c301db36
commit 7194d91b1c
13 changed files with 214 additions and 293 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
modules/server/nftables/default.nix
View File

@@ -1,12 +1,6 @@
{ config, lib, ... }:
let
cfg = config.syscfg.server;
DBlistNames = config.syscfg.server.db;
DBcontainerNames = lib.mapAttrsToList
(name: cfg: name)
(lib.filterAttrs (name: cfg: cfg.db or false) config.syscfg.server.containers);
DBallApps = lib.unique (DBlistNames ++ DBcontainerNames);
in{
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
@@ -15,20 +9,6 @@ in{
networking.nftables.enable = true;
networking.nftables.ruleset = ''
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
ct state established,related accept
iifname "lo" accept
iifname { "podman*", "veth*" } accept
tcp dport {422, 22} accept
${if builtins.length DBallApps > 0 then ''tcp dport {5432, 6379} accept'' else ""}
${if cfg.web then ''tcp dport {80, 443} accept'' else ""}
${if cfg.web then ''udp dport {80, 443} accept'' else ""}
${if cfg.wireguard then ''tcp dport {1515} accept'' else ""}
${if cfg.wireguard then ''udp dport {1515} accept'' else ""}
}
}
${if cfg.nftables.enable then ''
table inet nat {
chain prerouting {