Only enable the firewall if there's an external interface specified

2021-04-12 14:53:55 -07:00 · 2021-04-12 14:53:55 -07:00 · 4a7c4a9469
commit 4a7c4a9469
parent 9d3808fe2d
1 changed files with 11 additions and 0 deletions
--- a/lib/fudo/hosts.nix
+++ b/lib/fudo/hosts.nix
@ -119,6 +119,12 @@ let
        description = "SSH public keys used to access the build server.";
        default = [ ];
      };
+
+      external-interfaces = mkOption {
+        type = listOf str;
+        description = "A list of interfaces on which to enable the firewall.";
+        default = [ ];
+      };
    };
  };

@ -155,6 +161,11 @@ in {
        "127.0.0.1" = [ "${hostname}.${domain-name}" "${hostname}" ];
        "::1" = [ "${hostname}.${domain-name}" "${hostname}" ];
      };
+
+      firewall = {
+        enable = (length host-cfg.external-interfaces) > 0;
+        allowedTCPPorts = [ 22 ];
+      };
    };

    environment.etc.hosts = mkForce {