#!/usr/sbin/nft -f
#
# nftables-wireguard.conf.example
#
# Example nftables config for:
# - Traefik on 80/443 (public web)
# - WireGuard VPN on UDP 51820
# - Private services only accessible via WireGuard (interface wg0)
#
# Copy to /etc/nftables.conf and adjust interface names and port sets.

flush ruleset

# Adjust to your actual interfaces
define wan_if    = "eno1"    # WAN interface name
# define wan_if = "$(bash /path/to/detect-wan.sh)"
define wg_if     = "wg0"     # WireGuard interface name
define wg_port   = 51820     # WireGuard UDP port

table inet filter {

  #
  # Sets of ports
  #

  # Public web ports (Traefik)
  set wan_tcp_ports {
    type inet_service
    comment "Public-facing web ports"
    elements = {
      80,
      443
    }
  }

  # Private TCP services accessible only via WireGuard
  set wg_tcp_ports {
    type inet_service
    flags interval
    comment "Private services (AI stack, etc.) over WireGuard only"
    elements = {
      22,          # SSH
      7860,        # Stable Diffusion
      8000,        # vLLM or similar
      8080-8089,   # Llamafile / sandbox UIs
      8501,        # Sandbox Fusion / Streamlit
      11434        # Ollama
    }
  }

  chain input {
    type filter hook input priority 0;
    policy drop;

    # Loopback
    iifname "lo" accept

    # Established/related
    ct state established,related accept

    # ICMP (ping, etc.)
    ip protocol icmp accept
    ip6 nexthdr icmpv6 accept

    # WireGuard VPN – allow incoming tunnel on WAN
    iifname $wan_if udp dport $wg_port accept comment "WireGuard VPN listen"

    # Private services only over WireGuard interface
    iifname $wg_if tcp dport @wg_tcp_ports accept

    # Public web
    # If you want to restrict 80/443 strictly to WAN:
    # iifname $wan_if tcp dport @wan_tcp_ports accept
    tcp dport @wan_tcp_ports accept
  }

  chain forward {
    type filter hook forward priority 0;
    policy drop;
  }

  chain output {
    type filter hook output priority 0;
    policy accept;
  }
}