From 505298331ea2afd4237be497dec5829671fa3e61 Mon Sep 17 00:00:00 2001
From: Bun <bun@nixfox.ca>
Date: Tue, 18 Mar 2025 03:27:12 -0400
Subject: [PATCH] Move individual custom firewall rules to their own service
 files

---
 hosts/midas/firewall/default.nix              | 54 ++++++++-----------
 modules/system/services/server/default.nix    |  1 +
 .../server/fileserver/nfs/default.nix         | 28 ++++++----
 .../{socialserver => }/owncast/default.nix    |  8 +++
 .../owncast/nginx/default.nix                 |  0
 .../services/server/socialserver/default.nix  |  1 -
 .../server/webserver/nginx/rtmp/default.nix   | 12 ++++-
 7 files changed, 61 insertions(+), 43 deletions(-)
 rename modules/system/services/server/{socialserver => }/owncast/default.nix (57%)
 rename modules/system/services/server/{socialserver => }/owncast/nginx/default.nix (100%)

diff --git a/hosts/midas/firewall/default.nix b/hosts/midas/firewall/default.nix
index 7f7637ec..4fd177ca 100644
--- a/hosts/midas/firewall/default.nix
+++ b/hosts/midas/firewall/default.nix
@@ -1,36 +1,28 @@
-{ lib, config, ... }:
+{ config, lib, ... }:
 {
-  networking = {
-    firewall.extraInputRules = ''
-      ip saddr { 10.0.0.0/8, 10.100.0.0/24 } tcp dport 2049 accept comment "Accept NFS"
-      ip saddr { 10.0.0.0/8, ${config.secrets.ips.luna}, ${config.secrets.ips.corn} } tcp dport { 1935, 1945 } accept comment "Accept RTMP"
+  networking.nftables.tables.forwarding = {
+    family = "inet";
+    content = ''
+      chain PREROUTING {
+        type nat hook prerouting priority dstnat; policy accept;
+        tcp dport 2211 dnat ip to ${config.ips.pc}:22 comment "SSH to PC"
+        
+        udp dport { 27005, 27015, 7777 } dnat ip to ${config.ips.pc} comment "PC Hosted Games"
+        
+        tcp dport { 48010, 47989, 47984 } dnat ip to ${config.ips.pc} comment "PC Sunshine TCP"
+        udp dport { 47998, 47999, 48000 } dnat ip to ${config.ips.pc} comment "PC Sunshine UDP"
+        
+        tcp dport { 38010, 37989, 37984 } dnat ip to ${config.ips.vm} comment "VM Sunshine TCP"
+        udp dport { 37998, 37999, 38000 } dnat ip to ${config.ips.vm} comment "VM Sunshine UDP"
+        
+        udp dport { 7790, 7791, 7792 } dnat ip to ${config.ips.hx} comment "Deus Ex"
+      }
+
+      chain POSTROUTING {
+        type nat hook postrouting priority 100; policy accept;
+        oifname "enp0s31f6" masquerade
+      }
     '';
-
-    # Nftables configuration only if server is enabled
-    nftables.tables.forwarding = {
-      family = "ip";
-      content = ''
-        chain PREROUTING {
-          type nat hook prerouting priority dstnat; policy accept;
-          tcp dport 2211 dnat to ${config.ips.pc}:22 comment "SSH to PC"
-          
-          udp dport { 27005, 27015, 7777 } dnat to ${config.ips.pc} comment "PC Hosted Games"
-          
-          tcp dport { 48010, 47989, 47984 } dnat to ${config.ips.pc} comment "PC Sunshine TCP"
-          udp dport { 47998, 47999, 48000 } dnat to ${config.ips.pc} comment "PC Sunshine UDP"
-          
-          tcp dport { 38010, 37989, 37984 } dnat to ${config.ips.vm} comment "VM Sunshine TCP"
-          udp dport { 37998, 37999, 38000 } dnat to ${config.ips.vm} comment "VM Sunshine UDP"
-          
-          udp dport { 7790, 7791, 7792 } dnat to ${config.ips.hx} comment "Deus Ex"
-        }
-
-        chain POSTROUTING {
-          type nat hook postrouting priority 100; policy accept;
-          oifname "enp0s31f6" masquerade
-        }
-      '';
-    };
   };
 
   # Enable IP forwarding for the server configuration
diff --git a/modules/system/services/server/default.nix b/modules/system/services/server/default.nix
index 005a0608..69ef8c6c 100644
--- a/modules/system/services/server/default.nix
+++ b/modules/system/services/server/default.nix
@@ -8,6 +8,7 @@
     ./mailserver
     ./minecraft
     ./mysql
+    ./owncast
     ./socialserver
     ./transmission
     ./vaultwarden
diff --git a/modules/system/services/server/fileserver/nfs/default.nix b/modules/system/services/server/fileserver/nfs/default.nix
index f3127a54..6b04ab19 100644
--- a/modules/system/services/server/fileserver/nfs/default.nix
+++ b/modules/system/services/server/fileserver/nfs/default.nix
@@ -1,14 +1,24 @@
-{ config, ... }:
+{ config, lib, ... }:
 {
   imports = [ ./user ];
 
-  services.nfs.server = {
-    enable = config.system.fileserver.enable;
-    exports = ''
-      /storage/Files *(rw,sync,no_subtree_check)
-      /storage/Media *(rw,sync,no_subtree_check)
-      /storage/Music *(rw,sync,no_subtree_check)
-      /srv/minecraft *(rw,sync,no_subtree_check)
-    '';
+  config = lib.mkIf config.system.fileserver.enable {
+    services.nfs.server = {
+      enable = true;
+      exports = ''
+        /storage/Files *(rw,sync,no_subtree_check)
+        /storage/Media *(rw,sync,no_subtree_check)
+        /storage/Music *(rw,sync,no_subtree_check)
+        /srv/minecraft *(rw,sync,no_subtree_check)
+      '';
+    };
+    networking.nftables.tables.nfs = {
+      family = "inet";
+      content = ''
+        chain input {
+          ip saddr 10.0.0.0/8 tcp dport 2049 accept comment "Accept NFS"
+        }
+      '';
+    };
   };
 }
diff --git a/modules/system/services/server/socialserver/owncast/default.nix b/modules/system/services/server/owncast/default.nix
similarity index 57%
rename from modules/system/services/server/socialserver/owncast/default.nix
rename to modules/system/services/server/owncast/default.nix
index 72c034ad..6a52595b 100644
--- a/modules/system/services/server/socialserver/owncast/default.nix
+++ b/modules/system/services/server/owncast/default.nix
@@ -8,6 +8,14 @@
       port = 8060;
       rtmp-port = 1945;
     };
+    networking.nftables.tables.owncast = {
+      family = "inet";
+      content = ''
+        chain input {
+          ip saddr 10.0.0.0/8 tcp dport 1945 accept comment "Accept RTMP"
+        }
+      '';
+    };
     environment.persistence."/persist".directories = [ "/var/lib/owncast" ];
   };
 }
diff --git a/modules/system/services/server/socialserver/owncast/nginx/default.nix b/modules/system/services/server/owncast/nginx/default.nix
similarity index 100%
rename from modules/system/services/server/socialserver/owncast/nginx/default.nix
rename to modules/system/services/server/owncast/nginx/default.nix
diff --git a/modules/system/services/server/socialserver/default.nix b/modules/system/services/server/socialserver/default.nix
index ff1a7889..a2f84675 100644
--- a/modules/system/services/server/socialserver/default.nix
+++ b/modules/system/services/server/socialserver/default.nix
@@ -3,7 +3,6 @@
   imports = [
     ./mastodon
     ./matrix
-    ./owncast
   ];
 
   options.system.socialserver.enable = lib.mkEnableOption "Enable social media like services";
diff --git a/modules/system/services/server/webserver/nginx/rtmp/default.nix b/modules/system/services/server/webserver/nginx/rtmp/default.nix
index 3826d9d1..e6999ee3 100644
--- a/modules/system/services/server/webserver/nginx/rtmp/default.nix
+++ b/modules/system/services/server/webserver/nginx/rtmp/default.nix
@@ -1,8 +1,8 @@
 { config, lib, pkgs, ... }:
 {
-  options.services.nginx.rtmp.enable = lib.mkEnableOption "Enable an RTMP server using Nginx";
+  options.system.rtmp.enable = lib.mkEnableOption "Enable an RTMP server using Nginx";
 
-  config = lib.mkIf config.services.nginx.rtmp.enable {
+  config = lib.mkIf config.system.rtmp.enable {
     services.nginx = {
       package = (pkgs.nginx.override {
         modules = with pkgs.nginxModules; [ rtmp ];
@@ -27,6 +27,14 @@
         }
       '';
     };
+    networking.nftables.tables.rtmp = {
+      family = "inet";
+      content = ''
+        chain input {
+          ip saddr { 10.0.0.0/8, ${config.secrets.ips.luna}, ${config.secrets.ips.corn} } tcp dport 1935 accept comment "Accept RTMP"
+        }
+      '';
+    };
     systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www/landing-page/streams/hls/" ];
   };
 }