tlaternet/tlaternet-server
1
0
Fork 0
Code Issues 8 Pull requests Activity

refactor(firewall): Make services responsible for opening ports

Browse source
This commit is contained in:
Tristan Daniël Maat 2025-11-20 00:17:43 +08:00
parent 1d84562078
commit b63c823577
Signed by: tlater
GPG key ID: 02E935006CF2E8E7
9 changed files with 63 additions and 39 deletions
Download patch file Download diff file Expand all files Collapse all files

40
configuration/default.nix
View file

@ -1,9 +1,4 @@
{ { modulesPath, flake-inputs, ... }:
config,
modulesPath,
flake-inputs,
...
}:
{ {
imports = [ imports = [
flake-inputs.disko.nixosModules.disko flake-inputs.disko.nixosModules.disko
@ -49,39 +44,6 @@
networking = { networking = {
usePredictableInterfaceNames = false; usePredictableInterfaceNames = false;
useDHCP = false; useDHCP = false;
firewall = {
allowedTCPPorts = [
# http
80
443
# ssh
2222
# matrix
8448
# starbound
21025
config.services.coturn.listening-port
config.services.coturn.tls-listening-port
config.services.coturn.alt-listening-port
config.services.coturn.alt-tls-listening-port
];
allowedUDPPorts = [
config.services.coturn.listening-port
config.services.coturn.tls-listening-port
config.services.coturn.alt-listening-port
config.services.coturn.alt-tls-listening-port
];
allowedUDPPortRanges = [
{
from = config.services.coturn.min-port;
to = config.services.coturn.max-port;
}
];
};
}; };
systemd.network.enable = true; systemd.network.enable = true;

30
configuration/services/conduit/default.nix
View file

@ -17,6 +17,36 @@ in
./matrix-hookshot.nix ./matrix-hookshot.nix
]; ];
networking.firewall = {
allowedTCPPorts = [
# These are for "normal" clients
80
443
# Federation happens on 8448
8448
config.services.coturn.listening-port
config.services.coturn.tls-listening-port
config.services.coturn.alt-listening-port
config.services.coturn.alt-tls-listening-port
];
allowedUDPPorts = [
config.services.coturn.listening-port
config.services.coturn.tls-listening-port
config.services.coturn.alt-listening-port
config.services.coturn.alt-tls-listening-port
];
allowedUDPPortRanges = [
{
from = config.services.coturn.min-port;
to = config.services.coturn.max-port;
}
];
};
services = { services = {
matrix-conduit = { matrix-conduit = {
enable = true; enable = true;

5
configuration/services/foundryvtt.nix
View file

@ -11,6 +11,11 @@ in
{ {
imports = [ flake-inputs.foundryvtt.nixosModules.foundryvtt ]; imports = [ flake-inputs.foundryvtt.nixosModules.foundryvtt ];
networking.firewall.allowedTCPPorts = [
80
443
];
services = { services = {
foundryvtt = { foundryvtt = {
enable = true; enable = true;

5
configuration/services/gitea.nix
View file

@ -8,6 +8,11 @@ let
domain = "gitea.${config.services.nginx.domain}"; domain = "gitea.${config.services.nginx.domain}";
in in
{ {
networking.firewall.allowedTCPPorts = [
80
443
];
services = { services = {
forgejo = { forgejo = {
enable = true; enable = true;

5
configuration/services/immich.nix
View file

@ -8,6 +8,11 @@ let
hostName = "immich.${config.services.nginx.domain}"; hostName = "immich.${config.services.nginx.domain}";
in in
{ {
networking.firewall.allowedTCPPorts = [
80
443
];
services = { services = {
immich = { immich = {
enable = true; enable = true;

5
configuration/services/metrics/grafana.nix
View file

@ -3,6 +3,11 @@ let
domain = "metrics.${config.services.nginx.domain}"; domain = "metrics.${config.services.nginx.domain}";
in in
{ {
networking.firewall.allowedTCPPorts = [
80
443
];
services.grafana = { services.grafana = {
enable = true; enable = true;
settings = { settings = {

5
configuration/services/nextcloud.nix
View file

@ -9,6 +9,11 @@ let
hostName = "nextcloud.${config.services.nginx.domain}"; hostName = "nextcloud.${config.services.nginx.domain}";
in in
{ {
networking.firewall.allowedTCPPorts = [
80
443
];
services = { services = {
nextcloud = { nextcloud = {
inherit hostName; inherit hostName;

2
configuration/services/starbound.nix
View file

@ -8,6 +8,8 @@ let
inherit (lib) concatStringsSep; inherit (lib) concatStringsSep;
in in
{ {
networking.firewall.allowedTCPPorts = [ 21025 ];
# Sadly, steam-run requires some X libs # Sadly, steam-run requires some X libs
environment.noXlibs = false; environment.noXlibs = false;

5
configuration/services/webserver.nix
View file

@ -3,6 +3,11 @@ let
inherit (config.services.nginx) domain; inherit (config.services.nginx) domain;
in in
{ {
networking.firewall.allowedTCPPorts = [
80
443
];
services.tlaternet-webserver = { services.tlaternet-webserver = {
enable = true; enable = true;
listen = { listen = {