# ==========================================
# FIREWALL CONFIGURATION
# ==========================================
{ config, pkgs, ... }:

{
  # UFW-style firewall — deny all inbound by default
  networking.firewall = {
    enable = true;
    allowedTCPPorts = [ ];
    allowedUDPPorts = [ ];
  };
}