HostKit can model host firewall policy, workspace egress policy, service listeners, and systemd network restrictions.
use HostKit.DSL
project :prod do
firewall do
allow tcp: 22, from: :any
allow tcp: [80, 443], from: :any
allow tcp: 9100, from: {10, 44, 0, 0, 24}
deny :all
end
service :api do
daemon "api.service" do
exec_start ["/opt/api/bin/server"]
listen :http, port: 4000, on: :loopback
network_policy deny: :all,
allow: [:loopback]
end
end
endFirewall policy renders to nftables. network_policy compiles into systemd service options such as IPAddressDeny=, IPAddressAllow=, and RestrictAddressFamilies=.
Host-scoped firewall
Firewall policy can also live inside a host declaration:
host :prod, hostname: "app.example.com" do
firewall do
allow tcp: 22, from: :any
allow tcp: [80, 443], from: :any
deny :all
end
endNamed listeners
Named listeners keep provider integrations decoupled from port literals:
use HostKit.DSL, providers: [HostKit.Providers.Caddy]
project :prod do
service :api do
daemon "api.service" do
exec_start ["/opt/api/bin/server"]
listen :http, port: 4000, on: :loopback
end
caddy_site :api, "api.example.com" do
reverse_proxy listener(:http)
end
end
endWorkspace egress
Workspace services can express outbound policy separately from host ingress:
workspace :blog, owner: :alice do
service :preview do
egress deny: :private, allow: [tcp: 443]
end
endThis gives HostKit enough information to render firewall/network policy and to audit what each service or workspace is expected to reach.