Testing IP whitelist

flake.nix

@@ -41,7 +41,9 @@
     # Manage Plasma desktop with Nix
     plasma-manager.url = "github:pjones/plasma-manager";
     plasma-manager.inputs.nixpkgs.follows = "nixpkgs";
-    # Gnome / KDE-like overview 
+    # IP-based Firwall Rules - Pinned to v0.0.5 release 
+    ip-firewall-rules.url = "github:Oak-Digital/nixos-ip-whitelist-firewall/commit/14e3346cc015d370b00a16b790a1c323b985ff63";
+    ip-firewall-rules.inputs.nixpkgs.follows = "nixpkgs";
   };
   outputs = { self, nixpkgs, sops-nix, deploy-rs, ... } @inputs:
   let

nixos/hosts/frankfurt-linode-01/default.nix

@@ -1,6 +1,12 @@
-{ lib, modulesPath, hostname, ... }: {
+{ inputs, lib, modulesPath, hostname, ... }: 
+let 
+  # ipOffice = "";
+  ipIfargle = "97.71.91.121";
+  ipSysctl = "172.185.76.221";
+in {
   imports = [ 
     (modulesPath + "/profiles/qemu-guest.nix")
+    inputs.ip-whitelist.nixosModules.default
     (import ../../common/containers/derp.nix { domainName = "frankfurt.sysctl.io"; })
     ../../common/services/tailscale-autoconnect.nix
     ../../common/services/podman.nix
@@ -8,6 +14,18 @@
     ./wireguard.nix
   ];
 
+  # SSH Whitelist for certain IP's
+  networking.firewall.ipBasedAllowedTCPPorts = [
+    {
+      port = 22;
+      ips = [
+        # ipOffice
+        ipIfargle
+        ipSysctl
+      ];
+    }
+  ];
+
   boot.initrd.availableKernelModules = [ "virtio_pci" "virtio_scsi" "ahci" "sd_mod" ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ ];