feat: nix/fod firewall deployment

Author: Conni2461

flake.lock

@@ -2,6 +2,7 @@
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
     nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
+    nixpkgs-unstable-helsinki.url = "github:helsinki-systems/nixpkgs/feat/nix-daemon-firewall";
     # Why?
     flake-parts.url = "github:hercules-ci/flake-parts";
     flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";

flake.nix

@@ -45,7 +45,7 @@
   services.hydra-queue-builder-v2 = {
     enable = true;
     queueRunnerAddr = "https://queue-runner.staging-hydra.nixos.org";
-    maxJobs = 2;
+    maxJobs = 4;
     supportedFeatures = [ "fod-checker" ];
     mandatoryFeatures = [ "fod-checker" ];
     mtls = {

non-critical-infra/hosts/build04.ofborg.org/default.nix

@@ -47,7 +47,7 @@
   services.hydra-queue-builder-v2 = {
     enable = true;
     queueRunnerAddr = "https://queue-runner.staging-hydra.nixos.org";
-    maxJobs = 2;
+    maxJobs = 4;
     supportedFeatures = [ "fod-checker" ];
     mandatoryFeatures = [ "fod-checker" ];
     mtls = {

non-critical-infra/hosts/eval04.ofborg.org/default.nix

@@ -5,9 +5,27 @@
     "${inputs.infra}/modules/common.nix"
     "${inputs.infra}/non-critical-infra/modules/common.nix"
     ./ofborg-config.nix
+    "${inputs.nixpkgs-unstable-helsinki}/nixos/modules/services/system/nix-daemon-firewall.nix"
   ];
 
-  nix.gc.automatic = true;
+  nix = {
+    gc.automatic = true;
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [
+        21 # access to ftp files
+        22 # fetchGit
+        34
+        "http"
+        443
+        "30000-31000"
+      ];
+      allowedUDPPorts = [
+        53 # DNS
+        443 # QUIC/HTTP3
+      ];
+    };
+  };
 
   # TODO wire up exporters
   # TODO loki