From 0b8e88f09d66568fda05c56e331e1882f9c4f6bb Mon Sep 17 00:00:00 2001
From: Ivan Kirilov Dimitrov <ivan@idimitrov.dev>
Date: Mon, 5 Aug 2024 18:54:30 +0200
Subject: [PATCH] firewall module

---
 hosts/vps/mailserver/default.nix | 32 -------------------------------
 nixos/configs/default.nix        |  2 +-
 nixos/modules/default.nix        | 33 ++++++++++++++++++++++++++++++++
 3 files changed, 34 insertions(+), 33 deletions(-)

diff --git a/hosts/vps/mailserver/default.nix b/hosts/vps/mailserver/default.nix
index 7bc32a4..fd9fd3e 100644
--- a/hosts/vps/mailserver/default.nix
+++ b/hosts/vps/mailserver/default.nix
@@ -6,38 +6,6 @@
     options = [ "nofail" ];
   };
 
-  networking = {
-    firewall = pkgs.lib.mkForce {
-      enable = true;
-      allowedTCPPorts = [
-        25 # smtp
-        465 # smtps
-        80 # http
-        443 # https
-      ];
-      allowedUDPPorts = [
-        25
-        465
-        80
-        443
-        51820 # wireguard
-      ];
-      extraCommands = ''
-        iptables -N vpn  # create a new chain named vpn
-        iptables -A vpn --src 10.0.0.2 -j ACCEPT  # allow
-        iptables -A vpn --src 10.0.0.3 -j ACCEPT  # allow
-        iptables -A vpn --src 10.0.0.4 -j ACCEPT  # allow
-        iptables -A vpn -j DROP  # drop everyone else
-        iptables -I INPUT -m tcp -p tcp --dport 22 -j vpn
-      '';
-      extraStopCommands = ''
-        iptables -F vpn
-        iptables -D INPUT -m tcp -p tcp --dport 22 -j vpn
-        iptables -X vpn
-      '';
-    };
-  };
-
   users = {
     users.ivand = {
       isNormalUser = true;
diff --git a/nixos/configs/default.nix b/nixos/configs/default.nix
index 330f1d6..f65226b 100644
--- a/nixos/configs/default.nix
+++ b/nixos/configs/default.nix
@@ -22,7 +22,7 @@ in
     nova-nonya = novaConfig (with mods; [ ivand anon cryptocurrency ]);
     nova-ai = novaConfig (with mods; [ ivand ai ]);
     install-iso = configWithModules { modules = (with mods; [ grub base shell wireless ]); };
-    vps = configWithModules { modules = (with mods; [ base shell security vps mailserver nginx wireguard-output anonymous-dns ]); };
+    vps = configWithModules { modules = (with mods; [ base shell security vps mailserver nginx wireguard-output anonymous-dns firewall ]); };
     stara-miner = configWithModules { modules = (essential ++ [ mods.monero-miner ]); };
   };
 }
diff --git a/nixos/modules/default.nix b/nixos/modules/default.nix
index b88ba7b..af23cea 100644
--- a/nixos/modules/default.nix
+++ b/nixos/modules/default.nix
@@ -484,5 +484,38 @@ top@{ inputs, moduleWithSystem, ... }: {
         };
       };
     });
+    firewall = moduleWithSystem (toplevel@{ ... }: perSystem@{ lib, ... }: {
+      networking = {
+        firewall = lib.mkForce {
+          enable = true;
+          allowedTCPPorts = [
+            25 # smtp
+            465 # smtps
+            80 # http
+            443 # https
+          ];
+          allowedUDPPorts = [
+            25
+            465
+            80
+            443
+            51820 # wireguard
+          ];
+          extraCommands = ''
+            iptables -N vpn  # create a new chain named vpn
+            iptables -A vpn --src 10.0.0.2 -j ACCEPT  # allow
+            iptables -A vpn --src 10.0.0.3 -j ACCEPT  # allow
+            iptables -A vpn --src 10.0.0.4 -j ACCEPT  # allow
+            iptables -A vpn -j DROP  # drop everyone else
+            iptables -I INPUT -m tcp -p tcp --dport 22 -j vpn
+          '';
+          extraStopCommands = ''
+            iptables -F vpn
+            iptables -D INPUT -m tcp -p tcp --dport 22 -j vpn
+            iptables -X vpn
+          '';
+        };
+      };
+    });
   };
 }