From 1e370e35f36031ddfd4c7971b5fee23d75bb7b72 Mon Sep 17 00:00:00 2001
From: LavaDesu <me@lava.moe>
Date: Mon, 20 Sep 2021 13:42:43 +0000
Subject: [PATCH] security: enable firewall

---
 hosts/fondue/default.nix    | 1 +
 hosts/fondue/firewall.nix   | 3 +++
 modules/system/security.nix | 6 +++++-
 3 files changed, 9 insertions(+), 1 deletion(-)
 create mode 100644 hosts/fondue/firewall.nix

diff --git a/hosts/fondue/default.nix b/hosts/fondue/default.nix
index 9eb04d5..7d42262 100644
--- a/hosts/fondue/default.nix
+++ b/hosts/fondue/default.nix
@@ -14,6 +14,7 @@
     snapper
 
     ./filesystem.nix
+    ./firewall.nix
     ./kernel.nix
     ./networking.nix
 
diff --git a/hosts/fondue/firewall.nix b/hosts/fondue/firewall.nix
new file mode 100644
index 0000000..8c96e41
--- /dev/null
+++ b/hosts/fondue/firewall.nix
@@ -0,0 +1,3 @@
+{ ... }: {
+  networking.firewall.allowedTCPPorts = [ 22 80 ];
+}
diff --git a/modules/system/security.nix b/modules/system/security.nix
index abada90..b1e3260 100644
--- a/modules/system/security.nix
+++ b/modules/system/security.nix
@@ -1,5 +1,9 @@
 { config, pkgs, ... }: {
-  networking.firewall.enable = false;
+  networking.firewall = {
+    enable = true;
+    allowedUDPPorts = [ 20100 ];
+    trustedInterfaces = [ "wg0" ];
+  };
 
   services.openssh = {
     enable = true;