Fix some firewall rules

2025-03-18 06:09:07 -04:00 · 2025-03-18 06:09:07 -04:00 · d3a7fe8158
commit d3a7fe8158
parent 7e40fd4fb3
6 changed files with 26 additions and 17 deletions
--- a/modules/system/services/server/fileserver/nfs/default.nix
+++ b/modules/system/services/server/fileserver/nfs/default.nix
@ -15,6 +15,7 @@
      family = "inet";
      content = ''
        chain input {
+	  type filter hook input priority filter; policy drop;
          ip saddr 10.0.0.0/8 tcp dport 2049 accept comment "Accept NFS"
        }
      '';
--- a/modules/system/services/server/mailserver/go-autoconfig/default.nix
+++ b/modules/system/services/server/mailserver/go-autoconfig/default.nix
@ -1,20 +1,25 @@
-{ config, ... }:
+{ config, lib, ... }:
 {
  imports = [ ./nginx ];

-  services.go-autoconfig = {
-    enable = config.services.mailserver.enable;
-    settings = {
-      service_addr = ":1323";
-      domain = "autoconfig.nixfox.ca";
-      imap = {
-        server = "mx.nixfox.ca";
-        port = 143;
-      };
-      smtp = {
-        server = "mx.nixfox.ca";
-        port = 587;
+  config = lib.mkIf config.services.mailserver.enable {
+    services = {
+      go-autoconfig = {
+        enable = true;
+        settings = {
+          service_addr = ":1323";
+          domain = "autoconfig.nixfox.ca";
+          imap = {
+            server = "mx.nixfox.ca";
+            port = 143;
+          };
+          smtp = {
+            server = "mx.nixfox.ca";
+            port = 587;
+          };
+        };
      };
+      cloudflare-dyndns.domains = [ config.services.go-autoconfig.settings.domain ];
    };
  };
 }
--- a/modules/system/services/server/mailserver/simplenix/default.nix
+++ b/modules/system/services/server/mailserver/simplenix/default.nix
@ -28,6 +28,7 @@
            "jimbo@bloxelcom.net"

            "bun@nixfox.ca"
+            #"vice@nixfox.ca"
            "bun@bloxelcom.net"
            "yara@nixfox.ca"

@ -61,8 +62,10 @@
      };
    };

-    # Rspamd port from earlier to avoid overlap
-    services.redis.servers.rspamd.port = config.mailserver.redis.port;
+    services = {
+      redis.servers.rspamd.port = config.mailserver.redis.port;
+      cloudflare-dyndns.domains = [ config.mailserver.fqdn ];
+    };

    environment.persistence."/persist".directories = [
      "/var/vmail"
--- a/modules/system/services/server/nginx/rtmp/default.nix
+++ b/modules/system/services/server/nginx/rtmp/default.nix
@ -29,6 +29,7 @@
      family = "inet";
      content = ''
        chain input {
+	  type filter hook input priority 0; policy drop;
          ip saddr { 10.0.0.0/8, ${config.secrets.ips.luna}, ${config.secrets.ips.corn} } tcp dport 1935 accept comment "Accept RTMP"
        }
      '';
--- a/modules/system/services/server/owncast/default.nix
+++ b/modules/system/services/server/owncast/default.nix
@ -11,6 +11,7 @@
      family = "inet";
      content = ''
        chain input {
+	  type filter hook input priority filter; policy drop;
          ip saddr 10.0.0.0/8 tcp dport 1945 accept comment "Accept RTMP"
        }
      '';
--- a/modules/system/services/server/socialserver/matrix/coturn/default.nix
+++ b/modules/system/services/server/socialserver/matrix/coturn/default.nix
@ -27,11 +27,9 @@
        turn_user_lifetime = "1h";
      };

-      # Sync the IP to Cloudflare
      cloudflare-dyndns.domains = [ config.services.coturn.realm ];
    };

-    # Open coturn ports
    networking.firewall = {
      allowedUDPPorts = [
        3478