4 files changed, 70 insertions, 1 deletions
diff --git a/flake.nix b/flake.nix
index 66fee10..af0abce 100644
--- a/flake.nix
+++ b/flake.nix
@@ -89,6 +89,9 @@
           { hostName = "pincer"; module = ./machines/x1-pincer.nix; }
           { hostName = "dragon"; }
           { hostName = "firelink"; }
+          { hostName = "testvm"; module = {
+              users.users.orbekk.initialHashedPassword = "";
+            }; }
         ];
       in builtins.listToAttrs (map mkConfig myMachines);
     };
diff --git a/machines/x1-pincer.nix b/machines/x1-pincer.nix
index 8c20c59..72c4549 100644
--- a/machines/x1-pincer.nix
+++ b/machines/x1-pincer.nix
@@ -6,9 +6,9 @@ let ports = {
   orbekk.gaming.enable = true;
   orbekk.desktop.enable = true;
   orbekk.thinkpad.enable = true;
+  orbekk.simple-firewall.allowedTCPPorts = [ ports.minecraft ]; # socks proxy
 
   networking.networkmanager.enable = true;
-  networking.firewall.allowedTCPPorts = [ ports.minecraft ]; # socks proxy
 
   networking = {
     hostName = "pincer";
diff --git a/modules/desktop.nix b/modules/desktop.nix
index e348d77..8252110 100644
--- a/modules/desktop.nix
+++ b/modules/desktop.nix
@@ -11,6 +11,7 @@ in
 
   config = lib.mkIf cfg.enable {
     orbekk.yubikey.enable = lib.mkDefault true;
+    orbekk.simple-firewall.enable = true;
 
     location.latitude = 40.0;
     location.longitude = -74.0;
diff --git a/modules/simple-firewall.nix b/modules/simple-firewall.nix
new file mode 100644
index 0000000..eda869a
--- /dev/null
+++ b/modules/simple-firewall.nix
@@ -0,0 +1,65 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.orbekk.simple-firewall;
+in
+{
+  options = {
+    orbekk.simple-firewall = {
+      enable = lib.mkEnableOption "Enable nftables firewall";
+
+      allowedUDPPorts = lib.mkOption {
+        type = lib.types.listOf lib.types.port;
+        default = [];
+        description = "List of TCP ports to allow";
+      };
+
+      allowedTCPPorts = lib.mkOption {
+        type = lib.types.listOf lib.types.port;
+        default = [];
+        description = "List of TCP ports to allow";
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    networking.firewall.enable = lib.mkForce false;
+
+    networking.nftables.enable = true;
+
+    networking.nftables.ruleset =
+      let
+        csvPorts = ports: lib.concatStringsSep "," (map toString ports);
+      in ''
+    table inet filter {
+      chain allowed_ports {
+        ${lib.optionalString (cfg.allowedTCPPorts != []) ''
+        tcp dport {${csvPorts cfg.allowedTCPPorts}} counter accept
+        ''}
+        ${lib.optionalString (cfg.allowedUDPPorts != []) ''
+        udp dport {${csvPorts cfg.allowedUDPPorts}} counter accept
+        ''}
+      }
+
+      chain input {
+        type filter hook input priority 0
+
+        iif lo accept
+
+        ct state {established, related} accept
+
+        ip protocol icmp limit rate 4/second counter accept
+        ip6 nexthdr ipv6-icmp limit rate 4/second counter accept
+
+        jump allowed_ports
+
+        counter drop
+      }
+
+      chain output {
+        type filter hook output priority 0
+        counter accept
+      }
+    }
+    '';
+  };
+}