firewall.nix
1 { 2 lib, 3 config, 4 ... 5 }: 6 7 { 8 networking.firewall = { 9 enable = true; 10 11 allowedUDPPorts = [ 12 68 13 546 14 ] 15 ++ 16 lib.optionals 17 (builtins.elem config.networking.hostName [ 18 "nixos-vm" 19 ]) 20 [ 21 59010 22 59011 23 ] 24 ++ lib.optionals config.services.k3s.enable [ 25 # 8472 # flannel: required if using multi-node for inter-node networking 26 ]; 27 28 allowedTCPPorts = 29 lib.optionals 30 (builtins.elem config.networking.hostName [ 31 "nixos-vm" 32 ]) 33 [ 34 80 35 443 36 8080 37 59010 38 59011 39 ] 40 ++ lib.optionals config.services.k3s.enable [ 41 6443 # required so that pods can reach the API server (running on port 6443 by default) 42 # 2379 # etcd clients: required if using a "High Availability Embedded etcd" configuration 43 # 2380 # etcd peers: required if using a "High Availability Embedded etcd" configuration 44 ]; 45 }; 46 }