nixos-configuration/hosts/pi4/security/firewall.nix

{
  networking = {
    firewall = {
      enable = true;
      allowedTCPPorts = [
        80
        443
      ];
      trustedInterfaces = [ "tailscale0" ];
      extraInputRules =
        let
          localIPv4Range = "192.168.10.0/24";
        in
        ''
          ip saddr ${localIPv4Range} accept
        '';
    };
    nftables.enable = true;
  };
}