From 943f111cb6f7cf4150b42bdba7df800703dc38bc Mon Sep 17 00:00:00 2001
From: LavaDesu <me@lava.moe>
Date: Mon, 4 Sep 2023 12:28:19 +0700
Subject: [PATCH] system/security: open firewall for local network

---
 modules/system/security.nix | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/modules/system/security.nix b/modules/system/security.nix
index 8b48413..6e44eae 100644
--- a/modules/system/security.nix
+++ b/modules/system/security.nix
@@ -1,9 +1,19 @@
 { config, pkgs, ... }: {
-  networking.firewall = {
+  networking.firewall =
+  let
+    iptables = "${pkgs.iptables}/bin/iptables";
+    genCmds = type: ''
+      ${iptables} -${type} nixos-fw -p tcp --source 192.168.0.0/16 -j nixos-fw-accept ${if type == "D" then " || true" else ""}
+      ${iptables} -${type} nixos-fw -p udp --source 192.168.0.0/16 -j nixos-fw-accept ${if type == "D" then " || true" else ""}
+    '';
+  in {
     enable = true;
     allowedUDPPortRanges = [ { from = 20000; to = 20100; } ];
     allowedTCPPortRanges = [ { from = 20000; to = 20100; } ];
     trustedInterfaces = [ "wg0" ];
+
+    extraCommands = genCmds "I";
+    extraStopCommands = genCmds "D";
   };
 
   services.openssh = {