security: enable firewall

hosts/fondue/default.nix

@@ -14,6 +14,7 @@
     snapper
 
     ./filesystem.nix
+    ./firewall.nix
     ./kernel.nix
     ./networking.nix
 

hosts/fondue/firewall.nix

@@ -0,0 +1,3 @@
+{ ... }: {
+  networking.firewall.allowedTCPPorts = [ 22 80 ];
+}

modules/system/security.nix

@@ -1,5 +1,9 @@
 { config, pkgs, ... }: {
-  networking.firewall.enable = false;
+  networking.firewall = {
+    enable = true;
+    allowedUDPPorts = [ 20100 ];
+    trustedInterfaces = [ "wg0" ];
+  };
 
   services.openssh = {
     enable = true;