# Dezky host firewall — loads ONLY our table on boot.
#
# Deliberately does NOT use the distro 'nftables.service', whose default
# config starts with `flush ruleset` and would wipe k3s's tables. This unit
# applies /etc/nftables.d/dezky-fw.nft, which only (re)creates inet dezky_fw.
#
# Ordering: runs early (before k3s) so the box is never briefly exposed.
# k3s adds its own tables independently afterwards.

[Unit]
Description=Dezky host firewall (nftables, k3s-safe)
Wants=network-pre.target
Before=network-pre.target k3s.service
DefaultDependencies=no
Conflicts=shutdown.target
Before=shutdown.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/sbin/nft -f /etc/nftables.d/dezky-fw.nft
ExecReload=/usr/sbin/nft -f /etc/nftables.d/dezky-fw.nft
# On stop, remove only our table — leave k3s networking intact.
ExecStop=/usr/sbin/nft destroy table inet dezky_fw

[Install]
WantedBy=multi-user.target