From e4678a720539e3430fbdb55e1970db436dd7b6d7 Mon Sep 17 00:00:00 2001
From: Wroclaw <wroclaw223@outlook.com>
Date: Tue, 30 Jan 2024 04:35:45 +0100
Subject: [PATCH] Docker: Move firewall settings because it's force enabled by
 Docker to the docker.nix

---
 nix-os/core.nix   |  8 ++------
 nix-os/docker.nix | 10 ++++++++++
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/nix-os/core.nix b/nix-os/core.nix
index ecde69b..a064006 100644
--- a/nix-os/core.nix
+++ b/nix-os/core.nix
@@ -115,12 +115,8 @@
     '';
   };
 
-  networking.firewall = {
-    enable = true;
-    # "Disable" firewall because of docker
-    allowedTCPPortRanges = [{ from = 0; to = 65535;}];
-    allowedUDPPortRanges = [{ from = 0; to = 65535;}];
-  };
+  # Disable firewall
+  networking.firewall.enable = false;
 
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
diff --git a/nix-os/docker.nix b/nix-os/docker.nix
index 343d238..fb719b0 100644
--- a/nix-os/docker.nix
+++ b/nix-os/docker.nix
@@ -27,4 +27,14 @@
   config.environment.systemPackages = with pkgs; [
     docker-compose
   ];
+
+  # Docker enables firewall anyway, let's enable the firewall for it if it's disabled
+  # TODO: Apply only when config.networking.firewall is false
+  config.networking.firewall = {
+    enable = lib.mkOverride 90 true;
+    allowedTCPPorts = lib.mkOverride 90 [];
+    allowedUDPPorts = lib.mkOverride 90 [];
+    allowedTCPPortRanges = lib.mkOverride 90 [{ from = 0; to = 65535;}];
+    allowedUDPPortRanges = lib.mkOverride 90 [{ from = 0; to = 65535;}];
+  };
 }