henrov/nextcloud_ecosystem
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

First commit

Browse Source
This commit is contained in:
Henro Veijer
2026-02-22 17:28:02 +01:00
parent 7a70268785
commit 6bacf1878e
9011 changed files with 114470 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
OLD CONFIGS/nix_new/modules/nixos/networking/firewall.nix
+57
View File
@@ -0,0 +1,57 @@
{ config, lib, pkgs, ... }:
let
moduleName = "nixos-firewall";
# Why:
# - You had LAN-specific allow rules. Keeping the CIDR as a single variable
# makes it easy to override per-host or per-network later.
#
# If your LAN changes, override this value in hosts/<host>/networking.nix.
homeLanCidr = "192.168.2.0/24";
in
{
# Why:
# - Use nftables backend (modern default direction).
# - Matches your existing config and plays nicely with custom rules.
networking.nftables.enable = true;
networking.firewall = {
enable = true;
# Why:
# - Strong baseline: nothing inbound is open unless explicitly allowed.
# - You then selectively allow what you need (SSH ports live in sshd.nix).
allowedTCPPorts = [ ];
allowedUDPPorts = [ ];
# Why:
# - These are “quality of life” LAN services you had already:
# - KDE Connect: TCP/UDP 1714-1764
# - mDNS: UDP 5353 (printer discovery / Avahi-style discovery)
#
# Notes:
# - These rules ONLY allow traffic originating from homeLanCidr.
# - On other networks they effectively do nothing.
# - If you dont use KDE Connect or mDNS, delete these blocks.
extraInputRules = ''
# KDE Connect (TCP/UDP 1714-1764) from home LAN
ip saddr ${homeLanCidr} tcp dport 1714-1764 accept
ip saddr ${homeLanCidr} udp dport 1714-1764 accept
# mDNS / discovery (UDP 5353) from home LAN
ip saddr ${homeLanCidr} udp dport 5353 accept
'';
# Optional baseline knobs (kept conservative):
#
# Why:
# - Logging refused packets can be noisy on laptops that roam networks.
# - Leave disabled by default; enable temporarily for debugging.
logRefusedConnections = lib.mkDefault false;
};
# Optional: leave a breadcrumb in /etc for debugging module load order
# (handy while refactoring; remove once stable).
environment.etc."nixlog/loaded.${moduleName}".text = "loaded\n";
}