From 3958b1891c669978ae939bd54ade649060a1b475 Mon Sep 17 00:00:00 2001
From: Dominik Polakovics <dominik.polakovics@cloonar.com>
Date: Wed, 6 Dec 2023 14:33:34 +0100
Subject: [PATCH] add firewall rule

---
 hosts/fw.cloonar.com/modules/firewall.nix | 12 ++++++++
 hosts/fw.cloonar.com/modules/omada.nix    | 34 -----------------------
 2 files changed, 12 insertions(+), 34 deletions(-)

diff --git a/hosts/fw.cloonar.com/modules/firewall.nix b/hosts/fw.cloonar.com/modules/firewall.nix
index fb290cf..040bc73 100644
--- a/hosts/fw.cloonar.com/modules/firewall.nix
+++ b/hosts/fw.cloonar.com/modules/firewall.nix
@@ -161,6 +161,18 @@
             iifname "wg_cloonar" ct state { established, related } counter accept
             iifname "wg_cloonar" drop
 
+            # Allow returning traffic from wrwks and drop everthing else
+            iifname "wrwks" ct state { established, related } counter accept
+            iifname "wrwks" drop
+
+            # Allow returning traffic from wg_epicenter and drop everthing else
+            iifname "wg_epicenter" ct state { established, related } counter accept
+            iifname "wg_epicenter" drop
+
+            # Allow returning traffic from wg_ghetto_at and drop everthing else
+            iifname "wg_ghetto_at" ct state { established, related } counter accept
+            iifname "wg_ghetto_at" drop
+
             iifname "wan" ct state { established, related } accept comment "Allow established traffic"
             iifname "wan" icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP"
             iifname "wan" counter drop comment "Drop all other unsolicited traffic from wan"
diff --git a/hosts/fw.cloonar.com/modules/omada.nix b/hosts/fw.cloonar.com/modules/omada.nix
index bc23332..c1eb85d 100644
--- a/hosts/fw.cloonar.com/modules/omada.nix
+++ b/hosts/fw.cloonar.com/modules/omada.nix
@@ -25,38 +25,4 @@
       };
     };
   };
-
-  # security.acme.certs."${domain}" = {
-  #   domain = "${domain}";
-  # };
-
-  # containers.omada = {
-  #   autoStart = true;
-  #   ephemeral = true;
-  #   macvlans = [ "vserver" ];
-  #   bindMounts = {
-  #     "/var/lib/gitea" = {
-  #       hostPath = "/var/lib/gitea/";
-  #       isReadOnly = false;
-  #     };
-  #   };
-  #   bindMounts = {
-  #     "/var/lib/acme/gitea/" = {
-  #       hostPath = "${config.security.acme.certs.${domain}.directory}";
-  #       isReadOnly = true;
-  #     };
-  #   };
-  #   config = { lib, config, pkgs, ... }: {
-  #     networking = {
-  #       hostName = "gitea";
-  #       interfaces.mv-vserver = {
-  #         useDHCP = true;
-  #       };
-  #       firewall = {
-  #         enable = true;
-  #         allowedTCPPorts = [ 22 80 443 ];
-  #       };
-  #     };
-  #   };
-  # };
 }