From 244a029d7094b2f8ff6123045d86624f3aad8da5 Mon Sep 17 00:00:00 2001
From: Martin Berg Alstad <git@martials.no>
Date: Wed, 16 Apr 2025 21:09:17 +0000
Subject: [PATCH] :sparkles: [pi4] Nftables firewall config, moved security.nix
 to security dir

---
 hosts/pi4/default.nix                           |  2 +-
 .../pi4/{security.nix => security/default.nix}  |  4 ++++
 hosts/pi4/security/firewall.nix                 | 17 +++++++++++++++++
 3 files changed, 22 insertions(+), 1 deletion(-)
 rename hosts/pi4/{security.nix => security/default.nix} (74%)
 create mode 100644 hosts/pi4/security/firewall.nix

diff --git a/hosts/pi4/default.nix b/hosts/pi4/default.nix
index 8e3581b..5a0a120 100644
--- a/hosts/pi4/default.nix
+++ b/hosts/pi4/default.nix
@@ -13,7 +13,7 @@
     ./development.nix
     ./hardware.nix
     ./networking.nix
-    ./security.nix
+    ./security
   ];
 
   system.stateVersion = systemConfig.version;
diff --git a/hosts/pi4/security.nix b/hosts/pi4/security/default.nix
similarity index 74%
rename from hosts/pi4/security.nix
rename to hosts/pi4/security/default.nix
index 78a5300..25be243 100644
--- a/hosts/pi4/security.nix
+++ b/hosts/pi4/security/default.nix
@@ -1,4 +1,8 @@
 {
+  imports = [
+    ./firewall.nix
+  ];
+
   programs.gnupg.agent = {
     enable = true;
     enableSSHSupport = true;
diff --git a/hosts/pi4/security/firewall.nix b/hosts/pi4/security/firewall.nix
new file mode 100644
index 0000000..b5e2a2f
--- /dev/null
+++ b/hosts/pi4/security/firewall.nix
@@ -0,0 +1,17 @@
+{
+  networking = {
+    firewall = {
+      enable = true;
+      trustedInterfaces = [ "tailscale0" ];
+      extraInputRules =
+        let
+          localIPv4Range = "192.168.10.0/24";
+        in
+        ''
+          ip saddr ${localIPv4Range} tcp dport 22 accept
+          ip saddr ${localIPv4Range} udp dport 22 accept
+        '';
+    };
+    nftables.enable = true;
+  };
+}