nixos/Droidnix/generated/modules/traveldroid/system/firewall.nix

# --- This file has been auto-generated. For permanent changes alter the appropriate block in the README.org. ---
{ pkgs, ... }:

{
  # Use nftables as the firewall backend
  networking.nftables.enable = true;

  networking.firewall = {
    enable = true;

    filterForward = false;  # don't filter forwarded traffic
    # outbound is allowed by default UNLESS you've set:
    extraOutputRules = "";  # make sure nothing blocks output

    # LAN-only ports — Wi-Fi interface
    interfaces."wlan0" = {
      allowedTCPPorts = [
        80     # allow HTTP globally for outbound
        443    # allow HTTPS globally for outbound
        631    # CUPS / IPP network printing
        9100   # AppSocket/JetDirect printing
        6566   # SANE network scanner
        57621  # Spotify Connect
        57622  # Spotify local file sync
      ];
      allowedTCPPortRanges = [
        { from = 1714; to = 1764; }  # KDE Connect
      ];
      allowedUDPPorts = [
        5353   # mDNS / Avahi (printer + device discovery)
        631    # CUPS / IPP
        67     # DHCP
        123    # NTP time sync
        1900   # UPnP device discovery
        57621  # Spotify Connect
      ];
      allowedUDPPortRanges = [
        { from = 1714; to = 1764; }  # KDE Connect
      ];
    };

    # LAN-only ports — ethernet (ready for when you plug in)
    interfaces."enp0s31f6" = {
      allowedTCPPorts = [
        631    # CUPS / IPP network printing
        9100   # AppSocket/JetDirect printing
        6566   # SANE network scanner
        57621  # Spotify Connect
        57622  # Spotify local file sync
      ];
      allowedTCPPortRanges = [
        { from = 1714; to = 1764; }  # KDE Connect
      ];
      allowedUDPPorts = [
        5353   # mDNS / Avahi (printer + device discovery)
        631    # CUPS / IPP
        67     # DHCP
        123    # NTP time sync
        1900   # UPnP device discovery
        57621  # Spotify Connect
      ];
      allowedUDPPortRanges = [
        { from = 1714; to = 1764; }  # KDE Connect
      ];
    };
  };

  # CLI tool for temporary rule changes without rebuilding
  # Usage: sudo nixos-firewall-tool open tcp 8080
  environment.systemPackages = with pkgs; [
    nixos-firewall-tool
  ];
}