Hopefully to save someone else some headache. If you ever want to access services outside of Docker in your NixOS configuration but still want to have the firewall enabled - so nobody can access all the ports on your device. Then you will need to set the docker interface as a trusted interface in your firewall.
Say for example if you got a docker service because a package you want to run is missing or it's out of date but this docker services relies on a database and you want this to run on the bare metal through Nix.
An example of this could be:
# Have the firewall enabled
networking.firewall.enable = true;
# But allow docker containers to access the local machine
networking.firewall.trustedInterfaces = [ "docker0" ];
# Enable ssh, http and https
networking.firewall.allowedTCPPorts = [ 22 80 443 ];
This way your Docker container can access the local machine but nobody can access the docker container from outside of the network.
Make sure that the docker interface is in fact named `docker0`, that was the case on my machine but it may be different for you.