From 79c9b0bb75751e8829675f1f01aaa24e5d3da2b3 Mon Sep 17 00:00:00 2001
From: dadada <dadada@dadada.li>
Date: Sat, 23 Mar 2024 19:43:39 +0100
Subject: [PATCH] secure munin-node with firewall

---
 nixos/ninurta/configuration.nix | 12 +++++++++---
 nixos/surgat/configuration.nix  |  4 +++-
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/nixos/ninurta/configuration.nix b/nixos/ninurta/configuration.nix
index aea6d25..16b629f 100644
--- a/nixos/ninurta/configuration.nix
+++ b/nixos/ninurta/configuration.nix
@@ -367,15 +367,21 @@ in
       22 # SSH
       80 # munin web
       631 # Printing
-      3000 # Hydra
-      softServePort
     ];
     allowedUDPPorts = [
       631 # Printing
       51234 # Wireguard
       51235 # Wireguard
     ];
-    logReversePathDrops = true;
+    interfaces = {
+      uwu.allowedTCPPorts = [
+        softServePort
+      ];
+      wg0.allowedTCPPorts = [
+        3000 # Hydra
+        4949 # munin-node
+      ];
+    };
   };
 
   services.resolved.enable = true;
diff --git a/nixos/surgat/configuration.nix b/nixos/surgat/configuration.nix
index 34b26c6..e93b766 100644
--- a/nixos/surgat/configuration.nix
+++ b/nixos/surgat/configuration.nix
@@ -123,12 +123,14 @@ in
       22 # SSH
       80
       443 # HTTPS
-      4949 # munin-node
     ];
     allowedUDPPorts = [
       51234 # Wireguard
       51235 # Wireguard
     ];
+    interfaces.ninurta.allowedTCPPorts = [
+      4949 # munin-node
+    ];
   };
 
   # Use the GRUB 2 boot loader.