Improve firewalling

2024-05-04 14:50:59 +00:00 · 2024-05-04 14:50:59 +00:00 · 0042b62652
commit 0042b62652
parent b395cde724
4 changed files with 32 additions and 14 deletions
--- a/hosts/aluminium/services/dnsmasq.nix
+++ b/hosts/aluminium/services/dnsmasq.nix
@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ lib, pkgs, ... }:

 let
  stateDir = "/var/lib/dnsmasq";
@ -42,8 +42,18 @@ in
    };
  };

-  networking.firewall = {
-    allowedUDPPorts = [ 53 67 ];
-    allowedTCPPorts = [ 53 ];
-  };
+  networking.firewall.interfaces = lib.attrsets.genAttrs [
+    "heizung"
+    "iot"
+    "lechner"
+    "pv"
+    "sprechanlage"
+    "voice"
+  ]
+    (
+      interface: {
+        allowedUDPPorts = [ 53 67 ];
+        allowedTCPPorts = [ 53 ];
+      }
+    );
 }
--- a/hosts/aluminium/services/unifi-controller.nix
+++ b/hosts/aluminium/services/unifi-controller.nix
@ -6,8 +6,9 @@ in
 {
  services.unifi = {
    enable = true;
-    openFirewall = true;
    unifiPackage = pkgs.unifi;
  };
-  networking.firewall.allowedTCPPorts = [ ports.unifi.tcp ];
+  networking.firewall.interfaces.lechner.allowedTCPPorts = [
+    ports.unifi.tcp
+  ];
 }
--- a/hosts/iron/services/dnsmasq.nix
+++ b/hosts/iron/services/dnsmasq.nix
@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ lib, pkgs, ... }:

 let
  stateDir = "/var/lib/dnsmasq";
@ -37,8 +37,14 @@ in
    };
  };

-  networking.firewall = {
-    allowedUDPPorts = [ 53 67 ];
-    allowedTCPPorts = [ 53 ];
-  };
+  networking.firewall.interfaces = lib.attrsets.genAttrs [
+    "enp2s4"
+    "iot"
+  ]
+    (
+      interface: {
+        allowedUDPPorts = [ 53 67 ];
+        allowedTCPPorts = [ 53 ];
+      }
+    );
 }
--- a/hosts/iron/services/unifi-controller.nix
+++ b/hosts/iron/services/unifi-controller.nix
@ -6,8 +6,9 @@ in
 {
  services.unifi = {
    enable = true;
-    openFirewall = true;
    unifiPackage = pkgs.unifi;
  };
-  networking.firewall.allowedTCPPorts = [ ports.unifi.tcp ];
+  networking.firewall.interfaces.enp2s4.allowedTCPPorts = [
+    ports.unifi.tcp
+  ];
 }