configurations/nixos/arma-reforger-tofu/default.nix

@@ -14,7 +14,7 @@ in
 {
   imports = [
     self.nixosModules.default
-    "${modulesPath}/virtualisation/lxc-container.nix"
+    # "${modulesPath}/virtualisation/lxc-container.nix"
   ];
 
   services.arma.enable = true;

modules/nixos/common/firewall.nix

@@ -1,37 +1,33 @@
 {
-  # lib,
+  lib,
-  # pkgs,
+  pkgs,
-  # config,
+  config,
   ...
 }:
 {
   networking.nftables = {
     enable = true;
-    tables = {
+    ruleset = ''
-      yggSsh = {
+      table inet filter {
-        name = "yggSsh";
+        chain input {
-        family = "inet";
+          type filter hook input priority filter; policy accept;
-        content = ''
+          ct state related,established accept
-          chain input {
-            type filter hook input priority filter; policy accept;
-            ct state related,established accept
 
-            # Restrict ygg0: only allow SSH in
+          # Restrict ygg0: only allow SSH in
-            iifname "ygg0" tcp dport 22 accept
+          iifname "ygg0" tcp dport 22 accept
-            iifname "ygg0" drop
+          iifname "ygg0" drop
-          }
+        }
 
-          chain forward {
+        chain forward {
-            type filter hook forward priority filter; policy accept;
+          type filter hook forward priority filter; policy accept;
-            # Optional: drop forwarding via ygg0
+          # Optional: drop forwarding via ygg0
-            iifname "ygg0" drop
+          iifname "ygg0" drop
-          }
+        }
 
-          chain output {
+        chain output {
-            type filter hook output priority filter; policy accept;
+          type filter hook output priority filter; policy accept;
-          }
+        }
-        '';
+      }
-      };
+    '';
-    };
   };
 }

modules/nixos/common/incus.nix

@@ -1,31 +1,34 @@
 {
-  lib,
-  config,
-  pkgs,
-  ...
-}:
-{
-  options.iscontainer.enable = lib.mkEnableOption "iscontainer" // {
-    default = true;
-  };
-  config = lib.mkIf config.iscontainer.enable {
-    systemd.network = {
-      enable = true;
-      networks."50-eth0" = {
-        matchConfig.Name = "eth0";
-        networkConfig = {
-          DHCP = "ipv4";
-          IPv6AcceptRA = true;
-        };
-        linkConfig.RequiredForOnline = "routable";
-      };
-    };
 
-    networking = {
+  systemd.network = {
-      firewall.enable = false;
+    enable = true;
-      dhcpcd.enable = false;
+    networks."50-eth0" = {
-      useDHCP = false;
+
-      useHostResolvConf = false;
+      matchConfig.Name = "eth0";
+      networkConfig = {
+        DHCP = "ipv4";
+        IPv6AcceptRA = true;
+      };
+      linkConfig.RequiredForOnline = "routable";
     };
   };
+
+  networking = {
+    #   firewall = {
+    firewall.enable = false;
+    #     interfaces = {
+    #       ygg0 = {
+    #         allowedTCPPorts = [ 22 ];
+    #         allowedUDPPorts = [ ];
+    #       };
+    #     };
+
+    #     # Default deny policy for all interfaces (including ygg0)
+    #     allowedTCPPorts = [ ];
+    #     allowedUDPPorts = [ ];
+    #   };
+    dhcpcd.enable = false;
+    useDHCP = false;
+    useHostResolvConf = false;
+  };
 }