malcolm: Configure firewall and wordpress

hosts/malcolm/configuration.nix

@@ -6,6 +6,10 @@
 
     ../../base.nix
     ../../common/metrics-exporters.nix
+
+    ./services/mysql.nix
+    ./services/nginx.nix
+    ./services/www-kinealbrigtsen-no.nix
   ];
 
   networking = {
@@ -18,8 +22,26 @@
 
     hostId = "620c42d0";
     defaultGateway = "192.168.11.1";
+
+    # Prepend the following output rules to disallow talking to other devices on LAN
+    firewall.extraCommands = lib.strings.concatLines ([
+      "iptables -F OUTPUT"
+    ] ++ (map (addr: "iptables -A OUTPUT -p udp --dport 53 -d ${addr} -j nixos-fw-accept") config.networking.nameservers) ++ [ # Exception for DNS
+      "iptables -A OUTPUT -p tcp --dport 3100 -d 192.168.10.175 -j nixos-fw-accept" # Exception for loki logging
+      "iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
+      "iptables -A OUTPUT -d 192.168.10.0/24 -j nixos-fw-refuse"
+      "iptables -A OUTPUT -d 192.168.11.0/24 -j nixos-fw-refuse"
+    ]);
   };
 
+  # virtualisation.oci-containers.backend = "docker";
+  # systemd.services.docker.postStart = lib.concatMapStringsSep "\n" (rule: "${pkgs.iptables}/bin/iptables ${rule}") ([
+  #   "-F DOCKER-USER"
+  # ] ++ (map (addr: "-A DOCKER-USER -p udp --dport 53 -d ${addr} -j RETURN") config.networking.nameservers) ++ [
+  #   "-A DOCKER-USER -d 192.168.10.0/24 -j REJECT"
+  #   "-A DOCKER-USER -d 192.168.11.0/24 -j REJECT"
+  #   "-A DOCKER-USER -j RETURN"
+  # ]);
 
-  system.stateVersion = "24.05"; # Did you read the comment?
+  system.stateVersion = "24.05";
 }