From fcc5ebb7ba36c7d738ec6fbb224c824485fdfe5e Mon Sep 17 00:00:00 2001
From: uku <hi@uku.moe>
Date: Thu, 18 Jul 2024 11:11:54 +0200
Subject: [PATCH] fix(vesuvio): configure firewall correctly

---
 systems/vesuvio/default.nix | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/systems/vesuvio/default.nix b/systems/vesuvio/default.nix
index aa94cce..6ad5404 100644
--- a/systems/vesuvio/default.nix
+++ b/systems/vesuvio/default.nix
@@ -2,7 +2,7 @@
   boot.tmp.cleanOnBoot = true;
   zramSwap.enable = true;
 
-  services.openssh.openFirewall = true;
+  services.openssh.ports = [4269];
 
   services.frp = {
     enable = true;
@@ -18,4 +18,14 @@
 
   age.secrets.frpToken.file = ../../secrets/etna/frpToken.age;
   systemd.services.frp.serviceConfig.EnvironmentFile = config.age.secrets.frpToken.path;
+
+  networking.firewall = {
+    allowedTCPPorts = [22]; # forgejo-ssh
+    allowedTCPPortRanges = [
+      {
+        from = 6000;
+        to = 7000;
+      }
+    ];
+  };
 }