From e626d67dc1e5b55192cc13996fb74a41e4ef3632 Mon Sep 17 00:00:00 2001
From: Daniel Micay <daniel.micay@grapheneos.org>
Date: Sun, 19 Oct 2025 15:35:13 -0400
Subject: [PATCH] add nftables deployment script

---
 deploy-nftables | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100755 deploy-nftables

diff --git a/deploy-nftables b/deploy-nftables
new file mode 100755
index 0000000..a90787d
--- /dev/null
+++ b/deploy-nftables
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+. shared.sh
+. hosts.sh
+. ssh.sh
+
+for host in ${hosts_all[@]}; do
+    remote=root@$host
+
+    echo
+    echo $host
+    echo
+
+    cp etc/nftables/nftables-${hosts_firewall[$host]:-web}.conf tmp
+    sed -i "s/{{synproxy_threshold}}/$(( ${hosts_conntrack_size[$host]} / 64 ))/g" tmp
+    sed -i "s/{{ssh_ipv4}}/$ssh_ipv4/g" tmp
+    sed -i "s/{{ssh_ipv6}}/$ssh_ipv6/g" tmp
+    rsync tmp $remote:/etc/nftables.conf
+    rm tmp
+    ssh $remote systemctl enable --now nftables.service
+done