diff --git a/hosts/FredOS-Mediaserver.nix b/hosts/FredOS-Mediaserver.nix index 03ada0a..0dc518e 100644 --- a/hosts/FredOS-Mediaserver.nix +++ b/hosts/FredOS-Mediaserver.nix @@ -43,8 +43,8 @@ allowReboot = true; }; - # Open firewall for SSH - networking.firewall.allowedTCPPorts = [ 22 11434 ]; + # WAN exposure is controlled by nftables in services/router.nix + + # ports.toml (networking.firewall is disabled on this host). services.openssh = { enable = true; settings = { diff --git a/ports.toml b/ports.toml index 5eddc0b..ac7f48d 100644 --- a/ports.toml +++ b/ports.toml @@ -45,22 +45,5 @@ name = "7DTD-coop voice/dynamic" ports = "26911-26912" protocol = "udp" -[[forward]] -name = "DR auth" -port = 2110 -protocol = "tcp" - -[[forward]] -name = "DR game" -port = 2603 -protocol = "both" - -[[forward]] -name = "DR aux UDP" -ports = "2604-2605" -protocol = "udp" - -[[forward]] -name = "DR queue" -port = 2606 -protocol = "tcp" +# DR (Dungeon Runners) forwards removed — services/dr-server.nix is disabled. +# Re-add 2110 tcp, 2603 both, 2604-2605 udp, 2606 tcp if it comes back. diff --git a/services/adguard.nix b/services/adguard.nix index c1e64a4..57c75e7 100644 --- a/services/adguard.nix +++ b/services/adguard.nix @@ -45,8 +45,7 @@ }; }; - # LAN DNS — router blocks WAN:53 so this is effectively LAN-only - networking.firewall.allowedTCPPorts = [ 53 ]; - networking.firewall.allowedUDPPorts = [ 53 ]; + # LAN clients reach :53 via the nftables "LAN trusted" rule in router.nix; + # WAN:53 is dropped there. }; } diff --git a/services/bazarr.nix b/services/bazarr.nix index 2594a01..5dadadf 100644 --- a/services/bazarr.nix +++ b/services/bazarr.nix @@ -6,7 +6,6 @@ # Bazarr services.bazarr = { enable = true; - openFirewall = true; # Opens port 7878 dataDir = "/var/lib/bazarr"; user = "bazarr"; group = "media"; diff --git a/services/dr-server.nix b/services/dr-server.nix index 3f84e66..4a2667d 100644 --- a/services/dr-server.nix +++ b/services/dr-server.nix @@ -66,7 +66,7 @@ in }; }; - networking.firewall.allowedTCPPorts = [ 2110 2603 2604 2605 2606 ]; - networking.firewall.allowedUDPPorts = [ 2110 2603 2604 2605 2606 ]; + # WAN forwards for 2110/2603-2606 were removed from ports.toml when this + # service was disabled — re-add them there if this comes back. }; } diff --git a/services/game-servers.nix b/services/game-servers.nix index 7d49ee4..a3632c0 100644 --- a/services/game-servers.nix +++ b/services/game-servers.nix @@ -187,8 +187,5 @@ StartLimitIntervalSec = 300; StartLimitBurst = 5; }; - - networking.firewall.allowedTCPPorts = [ 26900 26910 ]; - networking.firewall.allowedUDPPorts = [ 26900 26901 26902 26910 26911 26912 ]; }; } diff --git a/services/homepage.nix b/services/homepage.nix index c81e413..cdd5f7c 100644 --- a/services/homepage.nix +++ b/services/homepage.nix @@ -87,7 +87,6 @@ in services.homepage-dashboard = { enable = true; - openFirewall = true; listenPort = 8084; # Allow access from anywhere on the LAN diff --git a/services/jellyfin.nix b/services/jellyfin.nix index 0e46627..705cbd1 100644 --- a/services/jellyfin.nix +++ b/services/jellyfin.nix @@ -5,7 +5,6 @@ # Jellyfin services.jellyfin = { enable = true; - openFirewall = true; }; # Ensure Jellyfin can write thumbnails/artwork to media directories diff --git a/services/nginx.nix b/services/nginx.nix index 7311b96..c340533 100644 --- a/services/nginx.nix +++ b/services/nginx.nix @@ -135,7 +135,5 @@ in }; }; }; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; }; } diff --git a/services/prowlarr.nix b/services/prowlarr.nix index 4d4f0dd..6e9572b 100644 --- a/services/prowlarr.nix +++ b/services/prowlarr.nix @@ -19,7 +19,6 @@ # Prowlarr services.prowlarr = { enable = true; - openFirewall = true; dataDir = "/var/lib/prowlarr"; }; }; diff --git a/services/radarr.nix b/services/radarr.nix index 64ff752..152cf88 100644 --- a/services/radarr.nix +++ b/services/radarr.nix @@ -6,7 +6,6 @@ # Radarr services.radarr = { enable = true; - openFirewall = true; # Opens port 7878 dataDir = "/var/lib/radarr"; user = "radarr"; group = "media"; diff --git a/services/sonarr.nix b/services/sonarr.nix index 285d255..cb52b22 100644 --- a/services/sonarr.nix +++ b/services/sonarr.nix @@ -6,7 +6,6 @@ # Sonarr services.sonarr = { enable = true; - openFirewall = true; dataDir = "/var/lib/sonarr"; user = "sonarr"; group = "media";