added stuff

2024-04-09 23:11:33 +02:00 · 2024-04-09 23:11:33 +02:00 · 236b8c2a6b
commit 236b8c2a6b
parent 937f28770d
907 changed files with 70990 additions and 0 deletions
--- a/nyx/hosts/helios/nftables.nix
+++ b/nyx/hosts/helios/nftables.nix
@ -0,0 +1,47 @@
+{lib, ...}: let
+  inherit (lib) entryBetween;
+in {
+  networking.nftables.rules = {
+    inet.filter.input = {
+      # endlessh
+      endlessh = entryBetween ["basic-icmp6" "basic-icmp" "ping6" "ping"] ["default"] {
+        protocol = "tcp";
+        field = "dport";
+        value = [22];
+        policy = "accept";
+      };
+
+      # this allows nginx to respond to the domain challenges without passing each service through the firewall
+      https = entryBetween ["basic-icmp6" "basic-icmp" "ping6" "ping"] ["default"] {
+        protocol = "tcp";
+        field = "dport";
+        value = [443];
+        policy = "accept";
+      };
+
+      headscale = entryBetween ["basic-icmp6" "basic-icmp" "ping6" "ping"] ["default"] {
+        protocol = "udp";
+        field = "dport";
+        value = [8344];
+        policy = "accept";
+      };
+
+      # NOTE: snm has an option to enable firewall ports by default, but my nftables abstractions
+      # do not allow for us to use that option, so we'll just open the ports manually
+      # I could probably add an entry that propagates the tcpPorts option to the firewall
+      # but that doesn not seem like a very good option since we'll not be able to control policies
+      simple-nixos-mailserver = entryBetween ["basic-icmp6" "basic-icmp" "ping6" "ping"] ["default"] {
+        protocol = "tcp";
+        field = "dport";
+        value = [
+          25 # smtp
+          80 # used for acme-nginx domain challenges
+          143 # imap
+          993 # imapSsl
+          465 # smtpSsl
+        ];
+        policy = "accept";
+      };
+    };
+  };
+}