refactor: extract 'firewall' and 'wol' modules

hosts/andromache/default.nix

@@ -24,23 +24,25 @@ in
       inherit lib config;
       device = "/dev/nvme1n1";
     })
-    ../../modules/desktops/niri
+    ../../modules/audio
     ../../modules/backups
     ../../modules/bluetooth
-    ../../modules/gaming
-    ../../modules/keyboard
-    (import ../../modules/networking { hostName = config.host.name; })
-    ../../modules/users
-    ../../modules/audio
-    ../../modules/localization
+    ../../modules/desktops/niri
+    ../../modules/docker
+    ../../modules/firewall
     ../../modules/fonts
+    ../../modules/gaming
+    (import ../../modules/networking { hostName = config.host.name; })
+    ../../modules/keyboard
+    ../../modules/localization
+    ../../modules/nvidia
+    (import ../../modules/secrets { inherit lib inputs config; })
     ../../modules/ssh
     ../../modules/storage
     ../../modules/stylix
-    (import ../../modules/secrets { inherit lib inputs config; })
-    ../../modules/docker
     ../../modules/syncthing
-    ../../modules/nvidia
+    ../../modules/users
+    ../../modules/wol
     ../../modules/yubikey
   ];
 
@@ -113,17 +115,15 @@ in
     package = pkgs.plocate;
   };
 
-  networking = {
-    # TODO: generate unique hostId on actual host with: head -c 8 /etc/machine-id
-    hostId = "80eef97e";
-    interfaces = {
-      eno1 = {
-        wakeOnLan.enable = true;
-        inherit (wolInterfaces.eno1) macAddress;
-      };
+  networking.hostId = "80eef97e";
+
+  wol = {
+    enable = true;
+    interfaces.eno1 = { inherit (wolInterfaces.eno1) macAddress; };
   };
+
   firewall = {
-      allowedUDPPorts = [ 9 ];
-    };
+    enable = true;
+    allowedTCPPorts = [ 22 ];
   };
 }

hosts/astyanax/default.nix

@@ -38,6 +38,7 @@ in
     (import ../../modules/secrets { inherit lib inputs config; })
     ../../modules/docker
     ../../modules/nfc
+    ../../modules/firewall
   ];
 
   home-manager.users.${config.host.username} = import ../../home/hosts/astyanax {
@@ -89,10 +90,14 @@ in
   ];
 
   networking = {
-    # TODO: generate unique hostId on actual host with: head -c 8 /etc/machine-id
     hostId = "80eef97e";
   };
 
+  firewall = {
+    enable = true;
+    allowedTCPPorts = [ 22 ];
+  };
+
   boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
 
   services = {

modules/firewall/default.nix

@@ -0,0 +1,27 @@
+{ lib, config, ... }:
+
+let
+  inherit (lib) mkEnableOption mkOption types;
+in
+{
+  options.firewall = {
+    enable = mkEnableOption "firewall";
+
+    allowedTCPPorts = mkOption {
+      type = types.listOf types.port;
+      default = [ ];
+    };
+
+    allowedUDPPorts = mkOption {
+      type = types.listOf types.port;
+      default = [ ];
+    };
+  };
+
+  config = lib.mkIf config.firewall.enable {
+    networking.firewall = {
+      enable = true;
+      inherit (config.firewall) allowedTCPPorts allowedUDPPorts;
+    };
+  };
+}

modules/wol/default.nix

@@ -0,0 +1,33 @@
+{ lib, config, ... }:
+
+let
+  inherit (lib) mkEnableOption mkOption types;
+in
+{
+  options.wol = {
+    enable = mkEnableOption "Wake-on-LAN configuration";
+
+    interfaces = mkOption {
+      type = types.attrsOf (
+        types.submodule {
+          options = {
+            macAddress = mkOption {
+              type = types.str;
+              example = "02:68:b3:29:da:98";
+            };
+          };
+        }
+      );
+      default = { };
+    };
+  };
+
+  config = lib.mkIf config.wol.enable {
+    networking.interfaces = lib.mapAttrs (_: iface: {
+      wakeOnLan.enable = true;
+      inherit (iface) macAddress;
+    }) config.wol.interfaces;
+
+    # firewall.allowedUDPPorts = [ 9 ];
+  };
+}