From c8cb980c1574449499bc89312b204a5e3c01361a Mon Sep 17 00:00:00 2001
From: soraefir <soraefir+git@helcel>
Date: Sun, 3 May 2026 13:21:22 +0200
Subject: [PATCH] Fix ports firewall

---
 modules/nixos/system/network/base/default.nix | 11 ++++++++++-
 modules/shared/syscfg/default.nix             |  4 ++++
 systems/gateway/cfg.nix                       |  1 +
 3 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/modules/nixos/system/network/base/default.nix b/modules/nixos/system/network/base/default.nix
index 05da746..ddca69d 100644
--- a/modules/nixos/system/network/base/default.nix
+++ b/modules/nixos/system/network/base/default.nix
@@ -4,6 +4,15 @@
     useDHCP = true;
     nameservers = [ "1.1.1.1" "9.9.9.9" ];
 
-    firewall = { enable = true; };
+    firewall = { 
+      enable = true;
+      allowedUDPPorts = 
+        (if config.syscfg.server ? wireguard then [ 1515 ] else [ ]) ++ 
+        [ ];
+
+      allowedTCPPorts = 
+        (if config.syscfg.server ? web       then [ 80 443 22 ] else [ ]) ++ 
+        [ ];
+    };
   };
 }
diff --git a/modules/shared/syscfg/default.nix b/modules/shared/syscfg/default.nix
index 377d3aa..554c2cf 100644
--- a/modules/shared/syscfg/default.nix
+++ b/modules/shared/syscfg/default.nix
@@ -118,6 +118,10 @@ let
       type = type.bool;
       default = false;
     };
+    web = mkOption {
+      type = type.bool;
+      default = false;
+    };
     nftables = {
       enable = mkOption {
         type = type.bool;
diff --git a/systems/gateway/cfg.nix b/systems/gateway/cfg.nix
index fdff7cb..bbc4bf9 100644
--- a/systems/gateway/cfg.nix
+++ b/systems/gateway/cfg.nix
@@ -29,6 +29,7 @@
     server = {
       openssh = true;
       wireguard = true;
+      web = true;
       nftables = {
         enable = true;
         ifs = ["ens3" "wg0" ];