feat: auto forward ports and open firewall

2026-03-16 19:05:55 +01:00 · 2026-03-16 19:05:55 +01:00 · 44d2263bdf
commit 44d2263bdf
parent b166c58127
4 changed files with 20 additions and 13 deletions
--- a/data/network.nix
+++ b/data/network.nix
@ -95,4 +95,13 @@ rec {
  dnsMappings = lib.filterAttrs _predOnlyLocalObjs _dnsMappingObjects;

  reverse_proxy = lib.filterAttrs (name: value: value ? reverse_proxy) services;
+
+  _portsUsedInService = (service: if service ? reverse_proxy 
+    then if service.reverse_proxy ? listen
+      then map (obj: obj.port) service.reverse_proxy.listen
+      else if service.reverse_proxy ? ssl && service.reverse_proxy.ssl
+        then [80 443]
+        else [80]
+    else [80]);
+  usedPorts = lib.unique (lib.concatLists (map _portsUsedInService (builtins.attrValues services)));
 }
--- a/data/services.nix
+++ b/data/services.nix
@ -23,16 +23,7 @@ rec {
  autossh = {
    key_path = "/etc/auto-ssh_secrets/key";
    known_hosts = "/etc/auto-ssh_secrets/known_hosts";
-    forwards = [{
-      remote = 80;
-      localAddress = "localhost";
-      localPort = 80;
-    }
-    {
-      remote = 443;
-      localAddress = "localhost";
-      localPort = 443;
-    }];
+    forwards = [];
  };
 }

--- a/services/autossh.nix
+++ b/services/autossh.nix
@ -1,10 +1,17 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:

 let
  net = import ../data/network.nix;
  serv = import ../data/services.nix;

-  forwardStrings = map (port: "-R ${toString port.remote}:${port.localAddress}:${toString port.localPort}") serv.autossh.forwards;
+  autoForwards = map (port: {
+      remote = port;
+      localAddress = "localhost";
+      localPort = port;
+  }) net.usedPorts;
+  fordwards = lib.unique (serv.autossh.forwards ++ autoForwards);
+
+  forwardStrings = map (port: "-R ${toString port.remote}:${port.localAddress}:${toString port.localPort}") fordwards;
  forwardString = builtins.concatStringsSep " " forwardStrings;

  sshHost = net.services.remoteProxy.ip;
--- a/services/nginx.nix
+++ b/services/nginx.nix
@ -80,7 +80,7 @@ in {
    virtualHosts = rproxyServices // {fallback = fallback;};
  };

-  networking.firewall.allowedTCPPorts = [80 443];
+  networking.firewall.allowedTCPPorts = network.usedPorts;

  security.acme = {
    acceptTerms = true;