feat: nix/fod firewall deployment

Conni2461 · Conni2461 · commit 585f8c0dd4e1 · 2025-12-04T11:52:35.000+01:00
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -3,6 +3,7 @@
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
     nixpkgs_25_05.url = "github:NixOS/nixpkgs/nixos-25.05-small";
     nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
+    nixpkgs-unstable-helsinki.url = "github:helsinki-systems/nixpkgs/feat/nix-daemon-firewall";
     # Why?
     flake-parts.url = "github:hercules-ci/flake-parts";
     flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
diff --git a/non-critical-infra/modules/ofborg/common.nix b/non-critical-infra/modules/ofborg/common.nix
@@ -5,9 +5,24 @@
     "${inputs.infra}/modules/common.nix"
     "${inputs.infra}/non-critical-infra/modules/common.nix"
     ./ofborg-config.nix
+    "${inputs.nixpkgs-unstable-helsinki}/nixos/modules/services/system/nix-daemon-firewall.nix"
   ];
 
-  nix.gc.automatic = true;
+  nix = {
+    gc.automatic = true;
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [
+        21 # access to ftp files
+        22 # fetchGit
+        34
+        "http"
+        443
+        "30000-31000"
+      ];
+      allowedUDPPorts = [ 53 ];
+    };
+  };
 
   # TODO wire up exporters
   # TODO loki
