From 83469322e6e54337ad3870df09cc3b4ac24a6493 Mon Sep 17 00:00:00 2001
From: Jermeiah S <owner@arouzing.xyz>
Date: Wed, 25 Jun 2025 18:34:50 -0400
Subject: [PATCH] feature: added nftables config [deploy]

this default config allows everything internally but only allows ssh
over ygg0
---
 modules/nixos/common/firewall.nix | 33 +++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 modules/nixos/common/firewall.nix

diff --git a/modules/nixos/common/firewall.nix b/modules/nixos/common/firewall.nix
new file mode 100644
index 0000000..6c93641
--- /dev/null
+++ b/modules/nixos/common/firewall.nix
@@ -0,0 +1,33 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+{
+  networking.nftables = {
+    enable = true;
+    ruleset = ''
+      table inet filter {
+        chain input {
+          type filter hook input priority filter; policy accept;
+          ct state related,established accept
+
+          # Restrict ygg0: only allow SSH in
+          iifname "ygg0" tcp dport 22 accept
+          iifname "ygg0" drop
+        }
+
+        chain forward {
+          type filter hook forward priority filter; policy accept;
+          # Optional: drop forwarding via ygg0
+          iifname "ygg0" drop
+        }
+
+        chain output {
+          type filter hook output priority filter; policy accept;
+        }
+      }
+    '';
+  };
+}