From 4a7c4a9469bc0a1428dbe1cd1f3de099645921e9 Mon Sep 17 00:00:00 2001
From: Root <root@fudo.org>
Date: Mon, 12 Apr 2021 14:53:55 -0700
Subject: [PATCH] Only enable the firewall if there's an external interface
 specified

---
 lib/fudo/hosts.nix | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/lib/fudo/hosts.nix b/lib/fudo/hosts.nix
index 10acca6..cbaf9a0 100644
--- a/lib/fudo/hosts.nix
+++ b/lib/fudo/hosts.nix
@@ -119,6 +119,12 @@ let
         description = "SSH public keys used to access the build server.";
         default = [ ];
       };
+
+      external-interfaces = mkOption {
+        type = listOf str;
+        description = "A list of interfaces on which to enable the firewall.";
+        default = [ ];
+      };
     };
   };
 
@@ -155,6 +161,11 @@ in {
         "127.0.0.1" = [ "${hostname}.${domain-name}" "${hostname}" ];
         "::1" = [ "${hostname}.${domain-name}" "${hostname}" ];
       };
+
+      firewall = {
+        enable = (length host-cfg.external-interfaces) > 0;
+        allowedTCPPorts = [ 22 ];
+      };
     };
 
     environment.etc.hosts = mkForce {