yee haw

newinfra/nix/modules/default/default.nix

@@ -23,6 +23,7 @@
 
   services.openssh = {
     enable = true;
+    openFirewall = true;
     banner = "meoooooow!! 😼 :3\n";
     settings = {
       PasswordAuthentication = false;

newinfra/nix/modules/dns/default.nix

@@ -2,8 +2,8 @@
   # get the package for the debugging tools
   environment.systemPackages = with pkgs; [ knot-dns ];
 
-  networking.firewall.allowedUDPPortRanges = [
-    { from = 53; to = 53; }
+  networking.firewall.allowedUDPPorts = [
+    53
   ];
 
   nixpkgs.overlays = [

newinfra/nix/modules/ingress/default.nix

@@ -1,6 +1,5 @@
 { pkgs, config, ... }: {
   networking.firewall.allowedTCPPorts = [
-    22
     443
   ];
 

newinfra/nix/modules/wg-mesh/default.nix

@@ -19,6 +19,10 @@ in
     in
     builtins.listToAttrs wgHostEntries;
 
+  networking.firewall.allowedUDPPorts = [
+    listenPort
+  ];
+
   age.secrets.wg_private.file = ../../secrets/wg_private_${name}.age;
   networking.wg-quick.interfaces = {
     wg0 = {
@@ -33,6 +37,8 @@ in
             inherit (peerConfig) publicKey;
             endpoint = "${peer}.infra.noratrieb.dev:${toString listenPort}";
             allowedIPs = [ "${peerConfig.privateIP}/32" ];
+            # sometimes there's some weirdness....??
+            persistentKeepalive = 25;
           }
         )
         wgSettings.peers;