From 435d11e9e50b341237225d8d4d7913c655c77251 Mon Sep 17 00:00:00 2001
From: TheWanderingCrow <contact@wanderingcrow.net>
Date: Thu, 7 Aug 2025 12:00:29 -0400
Subject: [PATCH] add firewall for non-lighthouse

---
 hosts/common/core/nebula.nix | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/hosts/common/core/nebula.nix b/hosts/common/core/nebula.nix
index 218341a..9030247 100644
--- a/hosts/common/core/nebula.nix
+++ b/hosts/common/core/nebula.nix
@@ -20,5 +20,21 @@ in {
     inherit (s.hosts.${config.hostSpec.hostName}) cert isLighthouse;
     key = config.sops.secrets."keys/nebula".path;
     enable = true;
+    firewall = lib.mkIf (!config.services.nebula.networks.wce.isLighthouse) {
+      inbound = [
+        {
+          host = "any";
+          port = "any";
+          proto = "any";
+        }
+      ];
+      outbound = [
+        {
+          host = "any";
+          port = "any";
+          proto = "any";
+        }
+      ];
+    };
   };
 }