wip: server-factory + firewall refractor

2025-09-27 17:00:13 -06:00
parent 4b81028cde
commit 3d3f49aeec
8 changed files with 107 additions and 53 deletions
--- a/hosts/server/configuration.nix
+++ b/hosts/server/configuration.nix
@@ -17,6 +17,14 @@
      ../../secrets/ssh/ed25519_nixworkstation.pub
      ../../secrets/ssh/ed25519_nixminiserver.pub
    ];
+    network.firewall.enabledServicePorts = true;
+    network.firewall.additionalPorts = [
+      2049 # idk
+      8384 # syncthing gui
+      22000 # syncthing relay
+      3452 # sonarqube
+      8448 # synapse ssl
+    ];
  };
  nix.buildMachines = [
    {
@@ -29,45 +37,28 @@
    }
  ];
  sops.secrets."vps/home/private".sopsFile = ../../secrets/wireguard.yaml;
-  networking =
-    let
-      enabledPorts =
-        config.my.servers
-        |> lib.filterAttrs (_: srv: (srv.enable or false) && (srv ? port))
-        |> lib.attrValues
-        |> map (srv: srv.port);
-      ports = enabledPorts ++ [
-        2049 # idk
-        8384 # syncthing gui
-        22000 # syncthing relay
-        3452 # sonarqube
-        8448 # synapse ssl
-        config.services.gitea.settings.server.SSH_PORT
-      ];
-    in
-    {
-      hostName = "server";
-      firewall = {
-        allowedTCPPorts = ports;
-        allowedUDPPorts = ports;
-        interfaces.wg0.allowedTCPPorts = [ 8081 ];
-      };
-      wireguard.interfaces.wg0 = {
-        ips = [ "${config.my.ips.wg-server}/32" ];
-        privateKeyFile = config.sops.secrets."vps/home/private".path;
-        peers = [
-          {
-            publicKey = "dFbiSekBwnZomarcS31o5+w6imHjMPNCipkfc2fZ3GY=";
-            endpoint = "${config.my.ips.vps}:51820";
-            allowedIPs = [
-              "${config.my.ips.wg-vps}/32"
-              "${config.my.ips.wg-friends}/24" # all friends
-            ];
-            persistentKeepalive = 25;
-          }
-        ];
-      };
+  networking = {
+    hostName = "server";
+    firewall = {
+      allowedUDPPorts = config.networking.firewall.allowedTCPPorts;
+      interfaces.wg0.allowedTCPPorts = [ 8081 ];
    };
+    wireguard.interfaces.wg0 = {
+      ips = [ "${config.my.ips.wg-server}/32" ];
+      privateKeyFile = config.sops.secrets."vps/home/private".path;
+      peers = [
+        {
+          publicKey = "dFbiSekBwnZomarcS31o5+w6imHjMPNCipkfc2fZ3GY=";
+          endpoint = "${config.my.ips.vps}:51820";
+          allowedIPs = [
+            "${config.my.ips.wg-vps}/32"
+            "${config.my.ips.wg-friends}/24" # all friends
+          ];
+          persistentKeepalive = 25;
+        }
+      ];
+    };
+  };
  users.users.jawz.packages = builtins.attrValues {
    inherit (pkgs) podman-compose;
  };