nixos-config/hosts/malcolm/configuration.nix

{ config, lib, pkgs, ... }:

{
  imports = [
    ./hardware-configuration.nix

    ../../base.nix
    ../../common/metrics-exporters.nix

    ./services/mysql.nix
    ./services/nginx.nix
    ./services/www-kinealbrigtsen-no.nix
  ];

  networking = {
    hostName = "malcolm";
    bridges.br0.interfaces = [ "ens18" ];
    interfaces.br0.useDHCP = false;
    interfaces.br0.ipv4.addresses = [
      { address = "192.168.11.106"; prefixLength = 24; }
    ];

    hostId = "620c42d0";
    defaultGateway = "192.168.11.1";

    # Prepend the following output rules to disallow talking to other devices on LAN
    firewall.extraCommands = lib.strings.concatLines ([
      "iptables -F OUTPUT"
    ] ++ (map (addr: "iptables -A OUTPUT -p udp --dport 53 -d ${addr} -j nixos-fw-accept") config.networking.nameservers) ++ [ # Exception for DNS
      "iptables -A OUTPUT -p tcp --dport 3100 -d 192.168.10.175 -j nixos-fw-accept" # Exception for loki logging
      "iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
      "iptables -A OUTPUT -d 192.168.10.0/24 -j nixos-fw-refuse"
      "iptables -A OUTPUT -d 192.168.11.0/24 -j nixos-fw-refuse"
    ]);
  };

  # virtualisation.oci-containers.backend = "docker";
  # systemd.services.docker.postStart = lib.concatMapStringsSep "\n" (rule: "${pkgs.iptables}/bin/iptables ${rule}") ([
  #   "-F DOCKER-USER"
  # ] ++ (map (addr: "-A DOCKER-USER -p udp --dport 53 -d ${addr} -j RETURN") config.networking.nameservers) ++ [
  #   "-A DOCKER-USER -d 192.168.10.0/24 -j REJECT"
  #   "-A DOCKER-USER -d 192.168.11.0/24 -j REJECT"
  #   "-A DOCKER-USER -j RETURN"
  # ]);

  system.stateVersion = "24.05";
}