diff --git a/config/base.nix b/config/base.nix index f45343b..4af7279 100644 --- a/config/base.nix +++ b/config/base.nix @@ -1,5 +1,4 @@ { - self, lib, pkgs, inputs, diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix index ee28bf3..9ee6377 100644 --- a/hosts/server/configuration.nix +++ b/hosts/server/configuration.nix @@ -1,7 +1,6 @@ { pkgs, config, - lib, ... }: { diff --git a/hosts/workstation/configuration.nix b/hosts/workstation/configuration.nix index e157485..bd8defa 100644 --- a/hosts/workstation/configuration.nix +++ b/hosts/workstation/configuration.nix @@ -1,6 +1,5 @@ { pkgs, - inputs, ... }: let diff --git a/modules/factories/server-factory.nix b/modules/factories/server-factory.nix deleted file mode 100644 index 557f23d..0000000 --- a/modules/factories/server-factory.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ - lib, - config, - name, - subdomain, - port, - serviceConfig ? { }, - nginxConfig ? null, -}: -let - cfg = config.my.servers.${name}; - setup = import ./setup.nix { inherit lib config; }; -in -{ - options.my.servers.${name} = setup.mkOptions name subdomain port; - - config = lib.mkIf cfg.enable { - services = serviceConfig // { - nginx.virtualHosts."${cfg.host}" = lib.mkIf cfg.enableProxy ( - if nginxConfig != null then nginxConfig cfg else setup.proxyReverseFix cfg - ); - }; - }; -} diff --git a/modules/network/firewall.nix b/modules/network/firewall.nix index d7b86a8..2216185 100644 --- a/modules/network/firewall.nix +++ b/modules/network/firewall.nix @@ -1,4 +1,28 @@ { lib, config, ... }: +let + nativeServicesWithOpenFirewall = [ + "adguardhome" + "plex" + "sabnzbd" + "nix-serve" + "radarr" + "sonarr" + "jellyfin" + "prowlarr" + "bazarr" + "stash" + "ombi" + "flaresolverr" + ]; + + servicesConfig = lib.listToAttrs ( + map (serviceName: { + name = serviceName; + value.openFirewall = config.my.servers.${serviceName}.enable or false; + }) nativeServicesWithOpenFirewall + ); + +in { options.my.network.firewall = { enabledServicePorts = lib.mkEnableOption "auto-open ports for enabled services"; @@ -15,12 +39,17 @@ }; config = lib.mkIf config.my.network.firewall.enabledServicePorts { + services = servicesConfig; + networking.firewall.allowedTCPPorts = config.my.network.firewall.staticPorts ++ config.my.network.firewall.additionalPorts ++ ( config.my.servers - |> lib.filterAttrs (_: srv: (srv.enable or false) && (srv ? port)) + |> lib.filterAttrs ( + name: srv: + (srv.enable or false) && (srv ? port) && !(builtins.elem name nativeServicesWithOpenFirewall) + ) |> lib.attrValues |> map (srv: srv.port) ) diff --git a/modules/servers/adguardhome.nix b/modules/servers/adguardhome.nix index ee1346b..1924549 100644 --- a/modules/servers/adguardhome.nix +++ b/modules/servers/adguardhome.nix @@ -5,7 +5,6 @@ services.adguardhome = { enable = true; mutableSettings = true; - openFirewall = true; }; }; } diff --git a/modules/servers/bazarr.nix b/modules/servers/bazarr.nix index 8d4821f..9368ab8 100644 --- a/modules/servers/bazarr.nix +++ b/modules/servers/bazarr.nix @@ -6,7 +6,6 @@ in { options.my.servers.bazarr = setup.mkOptions "bazarr" "subs" config.services.bazarr.listenPort; config = { - networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ]; services = { bazarr = lib.mkIf cfg.enable { enable = true; diff --git a/modules/servers/homepage.nix b/modules/servers/homepage.nix index e27e87c..1d9c26d 100644 --- a/modules/servers/homepage.nix +++ b/modules/servers/homepage.nix @@ -6,7 +6,6 @@ in { options.my.servers.homepage = setup.mkOptions "homepage" "home" 8082; config = { - networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ]; sops.secrets = lib.mkIf cfg.enable { homepage.sopsFile = ../../secrets/homepage.yaml; "private-ca/pem" = { diff --git a/modules/servers/jellyfin.nix b/modules/servers/jellyfin.nix index dcebb0d..2c42ec2 100644 --- a/modules/servers/jellyfin.nix +++ b/modules/servers/jellyfin.nix @@ -24,7 +24,6 @@ in { options.my.servers.jellyfin = setup.mkOptions "jellyfin" "flix" 8096; config = { - networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ]; environment = { systemPackages = lib.mkIf cfg.enable ( [ pkgs.jellyfin-ffmpeg ] ++ (lib.optional cfg.enableCron [ sub-sync-path ]) diff --git a/modules/servers/kavita.nix b/modules/servers/kavita.nix index 30e64e0..082633b 100644 --- a/modules/servers/kavita.nix +++ b/modules/servers/kavita.nix @@ -6,7 +6,6 @@ in { options.my.servers.kavita = setup.mkOptions "kavita" "library" config.services.kavita.settings.Port; config = { - networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ]; sops.secrets.kavita-token = lib.mkIf cfg.enable { owner = config.users.users.kavita.name; inherit (config.users.users.kavita) group; diff --git a/modules/servers/lidarr.nix b/modules/servers/lidarr.nix index 20aefc6..ea28afc 100644 --- a/modules/servers/lidarr.nix +++ b/modules/servers/lidarr.nix @@ -6,7 +6,6 @@ in { options.my.servers.lidarr = setup.mkOptions "lidarr" "music" 8686; config = { - networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ]; virtualisation.oci-containers.containers.lidarr = lib.mkIf cfg.enable { autoStart = true; image = "linuxserver/lidarr:version-2.13.3.4711"; diff --git a/modules/servers/maloja.nix b/modules/servers/maloja.nix index 6b49c11..ba4c632 100644 --- a/modules/servers/maloja.nix +++ b/modules/servers/maloja.nix @@ -6,7 +6,6 @@ in { options.my.servers.maloja = setup.mkOptions "maloja" "maloja" 42010; config = { - networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ]; sops.secrets = lib.mkIf cfg.enable { maloja.sopsFile = ../../secrets/env.yaml; }; virtualisation.oci-containers.containers.maloja = lib.mkIf cfg.enable { image = "krateng/maloja:3.2.3"; diff --git a/modules/servers/mealie.nix b/modules/servers/mealie.nix index 8ed834f..3877071 100644 --- a/modules/servers/mealie.nix +++ b/modules/servers/mealie.nix @@ -6,7 +6,6 @@ in { options.my.servers.mealie = setup.mkOptions "mealie" "mealie" 9925; config = { - networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ]; sops.secrets = lib.mkIf cfg.enable { mealie.sopsFile = ../../secrets/env.yaml; }; services = { mealie = lib.mkIf cfg.enable { diff --git a/modules/servers/metube.nix b/modules/servers/metube.nix index 0fde5f9..cbaab45 100644 --- a/modules/servers/metube.nix +++ b/modules/servers/metube.nix @@ -6,7 +6,6 @@ in { options.my.servers.metube = setup.mkOptions "metube" "bajameesta" 8881; config = { - networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ]; virtualisation.oci-containers.containers.metube = lib.mkIf cfg.enable { image = "ghcr.io/alexta69/metube:2024-11-05"; ports = [ "${toString cfg.port}:8081" ]; diff --git a/modules/servers/microbin.nix b/modules/servers/microbin.nix index 3253b72..5cb87bb 100644 --- a/modules/servers/microbin.nix +++ b/modules/servers/microbin.nix @@ -6,7 +6,6 @@ in { options.my.servers.microbin = setup.mkOptions "microbin" "copy" 8086; config = lib.mkIf config.my.servers.microbin.enable { - networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ]; services = { microbin = lib.mkIf cfg.enable { enable = true; diff --git a/modules/servers/multi-scrobbler.nix b/modules/servers/multi-scrobbler.nix index 54aa778..a7f0ab1 100644 --- a/modules/servers/multi-scrobbler.nix +++ b/modules/servers/multi-scrobbler.nix @@ -6,7 +6,6 @@ in { options.my.servers.multi-scrobbler = setup.mkOptions "multi-scrobbler" "scrobble" 9078; config = { - networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ]; sops.secrets = lib.mkIf cfg.enable { multi-scrobbler.sopsFile = ../../secrets/env.yaml; }; virtualisation.oci-containers.containers.multi-scrobbler = lib.mkIf cfg.enable { image = "foxxmd/multi-scrobbler:0.9.11"; diff --git a/modules/servers/nix-serve.nix b/modules/servers/nix-serve.nix index 1dc5793..03e3603 100644 --- a/modules/servers/nix-serve.nix +++ b/modules/servers/nix-serve.nix @@ -15,7 +15,6 @@ in services = { nix-serve = { enable = true; - openFirewall = true; package = pkgs.nix-serve-ng; inherit (cfg) port; secretKeyFile = config.sops.secrets."private_cache_keys/miniserver".path; diff --git a/modules/servers/ombi.nix b/modules/servers/ombi.nix index e6d6117..4ecebe4 100644 --- a/modules/servers/ombi.nix +++ b/modules/servers/ombi.nix @@ -9,7 +9,6 @@ in ombi = lib.mkIf cfg.enable { enable = true; inherit (cfg) port; - openFirewall = !cfg.isLocal; }; nginx.virtualHosts."${cfg.host}" = lib.mkIf cfg.enableProxy (setup.proxyReverseFix cfg); }; diff --git a/modules/servers/plex.nix b/modules/servers/plex.nix index c436b6a..9347c2a 100644 --- a/modules/servers/plex.nix +++ b/modules/servers/plex.nix @@ -13,7 +13,6 @@ in plex = lib.mkIf cfg.enable { enable = true; group = "piracy"; - openFirewall = true; }; nginx = lib.mkIf cfg.enableProxy { virtualHosts."${cfg.host}" = { diff --git a/modules/servers/prowlarr.nix b/modules/servers/prowlarr.nix index f81f74a..4a002c0 100644 --- a/modules/servers/prowlarr.nix +++ b/modules/servers/prowlarr.nix @@ -1,5 +1,4 @@ { - pkgs, lib, config, ... @@ -11,17 +10,13 @@ in { options.my.servers.prowlarr = setup.mkOptions "prowlarr" "indexer" 9696; config = { - networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ]; users.users.prowlarr = lib.mkIf cfg.enable { group = "piracy"; isSystemUser = true; }; services = { prowlarr.enable = cfg.enable; - flaresolverr = { - inherit (cfg) enable; - openFirewall = true; - }; + flaresolverr.enable = cfg.enable; nginx.virtualHosts."${cfg.host}" = lib.mkIf cfg.enableProxy (setup.proxyReverseFix cfg); }; }; diff --git a/modules/servers/radarr.nix b/modules/servers/radarr.nix index 9afe422..c47da8d 100644 --- a/modules/servers/radarr.nix +++ b/modules/servers/radarr.nix @@ -6,7 +6,6 @@ in { options.my.servers.radarr = setup.mkOptions "radarr" "movies" 7878; config = { - networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ]; services = { radarr = lib.mkIf cfg.enable { enable = true; diff --git a/modules/servers/sabnzbd.nix b/modules/servers/sabnzbd.nix index 1c26c89..8cf48c1 100644 --- a/modules/servers/sabnzbd.nix +++ b/modules/servers/sabnzbd.nix @@ -9,11 +9,9 @@ }; }; config = lib.mkIf config.my.servers.sabnzbd.enable { - networking.firewall.allowedTCPPorts = [ config.my.servers.sabnzbd.port ]; services.sabnzbd = { enable = true; group = "piracy"; - openFirewall = true; }; }; } diff --git a/modules/servers/shiori.nix b/modules/servers/shiori.nix index deb1102..263b97a 100644 --- a/modules/servers/shiori.nix +++ b/modules/servers/shiori.nix @@ -6,7 +6,6 @@ in { options.my.servers.shiori = setup.mkOptions "shiori" "bookmarks" 4368; config = lib.mkIf (config.my.servers.shiori.enable && config.my.servers.postgres.enable) { - networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ]; sops.secrets = lib.mkIf cfg.enable { shiori.sopsFile = ../../secrets/env.yaml; }; services = { shiori = lib.mkIf cfg.enable { diff --git a/modules/servers/sonarr.nix b/modules/servers/sonarr.nix index 7062eed..342ad8a 100644 --- a/modules/servers/sonarr.nix +++ b/modules/servers/sonarr.nix @@ -9,7 +9,6 @@ in sonarr = lib.mkIf cfg.enable { enable = true; group = "piracy"; - openFirewall = !cfg.isLocal; }; nginx.virtualHosts."${cfg.host}" = lib.mkIf cfg.enableProxy (setup.proxyReverseFix cfg); }; diff --git a/modules/servers/stash.nix b/modules/servers/stash.nix index 0847538..ccb31cd 100644 --- a/modules/servers/stash.nix +++ b/modules/servers/stash.nix @@ -15,7 +15,6 @@ in stash = lib.mkIf cfg.enable { enable = true; group = "piracy"; - openFirewall = !cfg.isLocal; mutableSettings = true; username = "Suing8150"; passwordFile = config.sops.secrets."stash/password".path; diff --git a/modules/servers/tranga.nix b/modules/servers/tranga.nix index 4cf35d5..856a85b 100644 --- a/modules/servers/tranga.nix +++ b/modules/servers/tranga.nix @@ -6,7 +6,6 @@ in { options.my.servers.tranga = setup.mkOptions "tranga" "tranga" 9555; config = { - networking.firewall.allowedTCPPorts = [ cfg.port ]; virtualisation.oci-containers.containers = lib.mkIf cfg.enable { tranga-api = { image = "glax/tranga-api:latest"; diff --git a/modules/servers/vaultwarden.nix b/modules/servers/vaultwarden.nix index 8b79204..26bd1f5 100644 --- a/modules/servers/vaultwarden.nix +++ b/modules/servers/vaultwarden.nix @@ -11,7 +11,6 @@ in { options.my.servers.vaultwarden = setup.mkOptions "vaultwarden" "vault" 8222; config = lib.mkIf (cfg.enable && config.my.servers.postgres.enable) { - networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ]; sops.secrets = lib.mkIf cfg.enable { vaultwarden.sopsFile = ../../secrets/env.yaml; }; services = { vaultwarden = lib.mkIf cfg.enable {