refactor(firewall): Make services responsible for opening ports

2025-11-20 00:17:43 +08:00 · 2025-11-20 00:17:43 +08:00 · 6bedb95929
commit 6bedb95929
parent 12790d5444
9 changed files with 63 additions and 39 deletions
--- a/configuration/services/conduit/default.nix
+++ b/configuration/services/conduit/default.nix
@ -17,6 +17,36 @@ in
    ./matrix-hookshot.nix
  ];

+  networking.firewall = {
+    allowedTCPPorts = [
+      # These are for "normal" clients
+      80
+      443
+
+      # Federation happens on 8448
+      8448
+
+      config.services.coturn.listening-port
+      config.services.coturn.tls-listening-port
+      config.services.coturn.alt-listening-port
+      config.services.coturn.alt-tls-listening-port
+    ];
+
+    allowedUDPPorts = [
+      config.services.coturn.listening-port
+      config.services.coturn.tls-listening-port
+      config.services.coturn.alt-listening-port
+      config.services.coturn.alt-tls-listening-port
+    ];
+
+    allowedUDPPortRanges = [
+      {
+        from = config.services.coturn.min-port;
+        to = config.services.coturn.max-port;
+      }
+    ];
+  };
+
  services = {
    matrix-conduit = {
      enable = true;