fix: imxyy-nix-x16

2025-07-18 23:43:10 +08:00
parent 422259838b
commit 66e772ce62
3 changed files with 44 additions and 7 deletions
--- a/config/hosts/imxyy-nix-x16/net.nix
+++ b/config/hosts/imxyy-nix-x16/net.nix
@@ -1,6 +1,5 @@
 {
  config,
-  lib,
  pkgs,
  sopsRoot,
  ...
@@ -10,7 +9,48 @@
    "biosdevname=0"
    "net.ifnames=0"
  ];
-  networking.networkmanager.enable = true;
+  networking = {
+    networkmanager.enable = true;
+    firewall.enable = false;
+    nftables = {
+      enable = true;
+      flushRuleset = true;
+      ruleset = ''
+        table inet firewall {
+          set LANv4 {
+            type ipv4_addr
+            flags interval
+
+            elements = { 10.0.0.0/8, 100.64.0.0/10, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 }
+          }
+          set LANv6 {
+            type ipv6_addr
+            flags interval
+
+            elements = { fd00::/8, fe80::/10 }
+          }
+
+          chain output {
+            type filter hook output priority 100; policy accept;
+          }
+
+          chain input {
+            type filter hook input priority 0; policy drop;
+            iif lo accept
+            ct state invalid drop
+            ct state established,related accept
+
+            ip saddr @LANv4 accept
+            ip6 saddr @LANv6 accept
+          }
+
+          chain forward {
+            type filter hook forward priority 0; policy drop;
+          }
+        }
+      '';
+    };
+  };

  sops.secrets.dae-imxyy-nix-x16 = {
    sopsFile = sopsRoot + /dae-imxyy-nix-x16.dae;