Networking: add ssh and more firewall rules

2025-02-23 06:05:10 +00:00 · 2025-01-27 16:07:24 +02:00 · 2025-01-27 16:07:24 +02:00 · 2a57b163e6
commit 2a57b163e6
parent 6fc5cef4cb
3 changed files with 25 additions and 3 deletions
--- a/modules/nixos/networking/firewall/default.nix
+++ b/modules/nixos/networking/firewall/default.nix
@ -1,5 +1,30 @@
 {
+  pkgs,
+  lib,
+  ...
+}: let
+  inherit (lib.modules) mkForce;
+in {
  imports = [
    ./fail2ban.nix
  ];
+
+  config = {
+    networking.firewall = {
+      enable = true;
+      package = pkgs.iptables;
+
+      allowedTCPPorts = [
+        443
+        80
+      ];
+      allowedUDPPorts = [];
+
+      # make a much smaller and easier to read log
+      logReversePathDrops = true;
+      logRefusedConnections = false;
+
+      checkReversePath = mkForce false;
+    };
+  };
 }
--- a/modules/nixos/networking/ssh.nix
+++ b/modules/nixos/networking/ssh.nix
@ -1,7 +1,6 @@
 {...}: {
  services.openssh = {
    enable = true;
-    startWhenNeeded = true;
    settings = {
      PermitRootLogin = "no";
      PasswordAuthentication = false;
--- a/systems/theia/networking.nix
+++ b/systems/theia/networking.nix
@ -5,8 +5,6 @@ in {
    enableIPv6 = true;
    firewall = {
      allowedTCPPorts = [
-        80 # HTTP
-        443 # HTTPS
        25565 # minecraft
        25566 # minecraft
        25567 # minecraft