Configures IP-based access to firewall for dnsc-vps-sm

2025-05-06 20:53:08 +02:00 · 2025-05-06 20:53:08 +02:00 · 2292f2a60f
commit 2292f2a60f
parent 3c558f5411
2 changed files with 20 additions and 5 deletions
--- a/flake.nix
+++ b/flake.nix
@ -10,6 +10,7 @@
    };
    nix-darwin.url = "github:LnL7/nix-darwin/master";
    nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
+    ip-whitelist.url = "github:Oak-Digital/nixos-ip-whitelist-firewall";
  };

  outputs = {
--- a/hosts/dnsc-vps-sm/default.nix
+++ b/hosts/dnsc-vps-sm/default.nix
@ -10,6 +10,7 @@
    ./hardware-configuration.nix
    ./networking.nix
    inputs.home-manager.nixosModules.home-manager
+    inputs.ip-whitelist.nixosModules.default
  ];

  # Secrets
@ -44,11 +45,24 @@
  systemd.services.NetworkManager-wait-online.enable = false;

  # Firewall
-  networking.firewall.enable = true;
-  networking.firewall.allowedTCPPorts = [
-    80 
-    443
-  ];
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [
+      80 
+      443
+    ];
+    ipBasedAllowedTCPPorts = [
+      {
+        port = 22;
+        ips = [
+          "100.103.199.4"
+          "100.115.100.87"
+          "100.83.40.63"
+        ];
+      }
+    ];
+  };
+  

  # My user account
  users.users.dennis = {