Move individual custom firewall rules to their own service files

2025-03-18 03:27:12 -04:00 · 2025-03-18 03:27:12 -04:00 · 505298331e
commit 505298331e
parent 7635beefb7
7 changed files with 61 additions and 43 deletions
--- a/modules/system/services/server/default.nix
+++ b/modules/system/services/server/default.nix
@ -8,6 +8,7 @@
    ./mailserver
    ./minecraft
    ./mysql
+    ./owncast
    ./socialserver
    ./transmission
    ./vaultwarden
--- a/modules/system/services/server/fileserver/nfs/default.nix
+++ b/modules/system/services/server/fileserver/nfs/default.nix
@ -1,14 +1,24 @@
-{ config, ... }:
+{ config, lib, ... }:
 {
  imports = [ ./user ];

-  services.nfs.server = {
-    enable = config.system.fileserver.enable;
-    exports = ''
-      /storage/Files *(rw,sync,no_subtree_check)
-      /storage/Media *(rw,sync,no_subtree_check)
-      /storage/Music *(rw,sync,no_subtree_check)
-      /srv/minecraft *(rw,sync,no_subtree_check)
-    '';
+  config = lib.mkIf config.system.fileserver.enable {
+    services.nfs.server = {
+      enable = true;
+      exports = ''
+        /storage/Files *(rw,sync,no_subtree_check)
+        /storage/Media *(rw,sync,no_subtree_check)
+        /storage/Music *(rw,sync,no_subtree_check)
+        /srv/minecraft *(rw,sync,no_subtree_check)
+      '';
+    };
+    networking.nftables.tables.nfs = {
+      family = "inet";
+      content = ''
+        chain input {
+          ip saddr 10.0.0.0/8 tcp dport 2049 accept comment "Accept NFS"
+        }
+      '';
+    };
  };
 }
--- a/modules/system/services/server/socialserver/owncast/default.nix
+++ b/modules/system/services/server/socialserver/owncast/default.nix
@ -8,6 +8,14 @@
      port = 8060;
      rtmp-port = 1945;
    };
+    networking.nftables.tables.owncast = {
+      family = "inet";
+      content = ''
+        chain input {
+          ip saddr 10.0.0.0/8 tcp dport 1945 accept comment "Accept RTMP"
+        }
+      '';
+    };
    environment.persistence."/persist".directories = [ "/var/lib/owncast" ];
  };
 }
--- a/modules/system/services/server/socialserver/owncast/nginx/default.nix
+++ b/modules/system/services/server/socialserver/owncast/nginx/default.nix
--- a/modules/system/services/server/socialserver/default.nix
+++ b/modules/system/services/server/socialserver/default.nix
@ -3,7 +3,6 @@
  imports = [
    ./mastodon
    ./matrix
-    ./owncast
  ];

  options.system.socialserver.enable = lib.mkEnableOption "Enable social media like services";
--- a/modules/system/services/server/webserver/nginx/rtmp/default.nix
+++ b/modules/system/services/server/webserver/nginx/rtmp/default.nix
@ -1,8 +1,8 @@
 { config, lib, pkgs, ... }:
 {
-  options.services.nginx.rtmp.enable = lib.mkEnableOption "Enable an RTMP server using Nginx";
+  options.system.rtmp.enable = lib.mkEnableOption "Enable an RTMP server using Nginx";

-  config = lib.mkIf config.services.nginx.rtmp.enable {
+  config = lib.mkIf config.system.rtmp.enable {
    services.nginx = {
      package = (pkgs.nginx.override {
        modules = with pkgs.nginxModules; [ rtmp ];
@ -27,6 +27,14 @@
        }
      '';
    };
+    networking.nftables.tables.rtmp = {
+      family = "inet";
+      content = ''
+        chain input {
+          ip saddr { 10.0.0.0/8, ${config.secrets.ips.luna}, ${config.secrets.ips.corn} } tcp dport 1935 accept comment "Accept RTMP"
+        }
+      '';
+    };
    systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www/landing-page/streams/hls/" ];
  };
 }