Initial commit

modules/network/firewall.nix

@@ -0,0 +1,37 @@
+{ config, lib, ... }:
+let
+  cfg = config.my.network.firewall;
+in
+{
+  options.my.network.firewall = {
+    allowedTCPPorts = lib.mkOption {
+      type = lib.types.listOf lib.types.port;
+      default = [ ];
+    };
+
+    allowedUDPPorts = lib.mkOption {
+      type = lib.types.listOf lib.types.port;
+      default = [ ];
+    };
+
+    trustedInterfaces = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [ ];
+    };
+
+    allowPing = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+    };
+  };
+
+  config = {
+    networking.firewall = {
+      enable = true;
+      allowedTCPPorts = cfg.allowedTCPPorts;
+      allowedUDPPorts = cfg.allowedUDPPorts;
+      trustedInterfaces = cfg.trustedInterfaces;
+      allowPing = cfg.allowPing;
+    };
+  };
+}