Add Windscribe

files/nftables/main.nft

@@ -0,0 +1,106 @@
+# # Sample configuration for nftables service.
+# # Load this by calling 'nft -f /etc/nftables/main.nft'.
+#
+# # Note about base chain priorities:
+# # The priority values used in these sample configs are
+# # offset by 20 in order to avoid ambiguity when firewalld
+# # is also running which uses an offset of 10. This means
+# # that packets will traverse firewalld first and if not
+# # dropped/rejected there will hit the chains defined here.
+# # Chains created by iptables, ebtables and arptables tools
+# # do not use an offset, so those chains are traversed first
+# # in any case.
+#
+# # drop any existing nftables ruleset
+# flush ruleset
+#
+# # a common table for both IPv4 and IPv6
+# table inet nftables_svc {
+#
+# 	# protocols to allow
+# 	set allowed_protocols {
+# 		type inet_proto
+# 		elements = { icmp, icmpv6 }
+# 	}
+#
+# 	# interfaces to accept any traffic on
+# 	set allowed_interfaces {
+# 		type ifname
+# 		elements = { "lo" }
+# 	}
+#
+# 	# services to allow
+# 	set allowed_tcp_dports {
+# 		type inet_service
+# 		elements = { ssh, 9090 }
+# 	}
+#
+# 	# this chain gathers all accept conditions
+# 	chain allow {
+# 		ct state established,related accept
+#
+# 		meta l4proto @allowed_protocols accept
+# 		iifname @allowed_interfaces accept
+# 		tcp dport @allowed_tcp_dports accept
+# 	}
+#
+# 	# base-chain for traffic to this host
+# 	chain INPUT {
+# 		type filter hook input priority filter + 20
+# 		policy accept
+#
+# 		jump allow
+# 		reject with icmpx type port-unreachable
+# 	}
+# }
+#
+# # By default, any forwarding traffic is allowed.
+# # Uncomment the following line to filter it based
+# # on the same criteria as input traffic.
+# #include "/etc/nftables/router.nft"
+#
+# # Uncomment the following line to enable masquerading of
+# # forwarded traffic. May be used with or without router.nft.
+# #include "/etc/nftables/nat.nft"
+
+# --- --- ---
+
+# Flush the ruleset
+flush ruleset
+
+# Define a table for our firewall rules
+table ip firewall {
+    # Define a chain for outbound traffic
+    chain output {
+        type filter hook output priority 0;
+
+        # Set default policy to DROP
+        policy drop;
+
+        # Allow localhost traffic
+        ip daddr 127.0.0.1 accept
+
+        # Allow DHCPv4 broadcast
+        ip daddr 255.255.255.255 accept
+
+        # Allow traffic to local network (assuming 192.168.0.0/16, adjust if needed)
+        ip daddr 192.168.0.0/16 accept
+    }
+}
+
+# IPv6 table
+table ip6 firewall {
+    chain output {
+        type filter hook output priority 0;
+        policy drop;
+
+        # Allow DHCPv6 multicast
+        ip6 daddr ff02::1:2 accept
+
+        # Allow localhost traffic
+        ip6 daddr ::1 accept
+
+        # Allow traffic to local network (assuming fd00::/8 for unique local addresses, adjust if needed)
+        ip6 daddr fd00::/8 accept
+    }
+}

recipes/recipe.yml

@@ -5,6 +5,10 @@ description: This is my personal OS image.
 base-image: ghcr.io/ublue-os/bluefin-dx-nvidia
 image-version: latest
 modules:
+  - type: files
+    files:
+      - source: nftables
+        destination: /usr/etc/
   - type: default-flatpaks
     notify: true
     system:
@@ -20,8 +24,10 @@ modules:
       - https://repository.mullvad.net/rpm/stable/mullvad.repo
     optfix:
       - Mullvad VPN
+      - windscribe
     install:
       - mullvad-vpn
       - mullvad-browser
       - "https://airvpn.org/mirrors/eddie.website/download/?platform=linux&arch=x64&ui=ui&format=fedora.rpm&version=experimental&r=0.0531527188578923"
+      - "https://deploy.totallyacdn.com/desktop-apps/2.12.7/windscribe_2.12.7_x86_64_fedora.rpm"
   - type: signing