mediaserver: drop no-op firewall rules, close unused DR forwards

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
rope 2026-06-11 10:00:02 +01:00
parent f65675bd80
commit 8dd70a2d9d
12 changed files with 8 additions and 37 deletions

View file

@ -43,8 +43,8 @@
allowReboot = true; allowReboot = true;
}; };
# Open firewall for SSH # WAN exposure is controlled by nftables in services/router.nix +
networking.firewall.allowedTCPPorts = [ 22 11434 ]; # ports.toml (networking.firewall is disabled on this host).
services.openssh = { services.openssh = {
enable = true; enable = true;
settings = { settings = {

View file

@ -45,22 +45,5 @@ name = "7DTD-coop voice/dynamic"
ports = "26911-26912" ports = "26911-26912"
protocol = "udp" protocol = "udp"
[[forward]] # DR (Dungeon Runners) forwards removed — services/dr-server.nix is disabled.
name = "DR auth" # Re-add 2110 tcp, 2603 both, 2604-2605 udp, 2606 tcp if it comes back.
port = 2110
protocol = "tcp"
[[forward]]
name = "DR game"
port = 2603
protocol = "both"
[[forward]]
name = "DR aux UDP"
ports = "2604-2605"
protocol = "udp"
[[forward]]
name = "DR queue"
port = 2606
protocol = "tcp"

View file

@ -45,8 +45,7 @@
}; };
}; };
# LAN DNS — router blocks WAN:53 so this is effectively LAN-only # LAN clients reach :53 via the nftables "LAN trusted" rule in router.nix;
networking.firewall.allowedTCPPorts = [ 53 ]; # WAN:53 is dropped there.
networking.firewall.allowedUDPPorts = [ 53 ];
}; };
} }

View file

@ -6,7 +6,6 @@
# Bazarr # Bazarr
services.bazarr = { services.bazarr = {
enable = true; enable = true;
openFirewall = true; # Opens port 7878
dataDir = "/var/lib/bazarr"; dataDir = "/var/lib/bazarr";
user = "bazarr"; user = "bazarr";
group = "media"; group = "media";

View file

@ -66,7 +66,7 @@ in
}; };
}; };
networking.firewall.allowedTCPPorts = [ 2110 2603 2604 2605 2606 ]; # WAN forwards for 2110/2603-2606 were removed from ports.toml when this
networking.firewall.allowedUDPPorts = [ 2110 2603 2604 2605 2606 ]; # service was disabled — re-add them there if this comes back.
}; };
} }

View file

@ -187,8 +187,5 @@
StartLimitIntervalSec = 300; StartLimitIntervalSec = 300;
StartLimitBurst = 5; StartLimitBurst = 5;
}; };
networking.firewall.allowedTCPPorts = [ 26900 26910 ];
networking.firewall.allowedUDPPorts = [ 26900 26901 26902 26910 26911 26912 ];
}; };
} }

View file

@ -87,7 +87,6 @@ in
services.homepage-dashboard = { services.homepage-dashboard = {
enable = true; enable = true;
openFirewall = true;
listenPort = 8084; listenPort = 8084;
# Allow access from anywhere on the LAN # Allow access from anywhere on the LAN

View file

@ -5,7 +5,6 @@
# Jellyfin # Jellyfin
services.jellyfin = { services.jellyfin = {
enable = true; enable = true;
openFirewall = true;
}; };
# Ensure Jellyfin can write thumbnails/artwork to media directories # Ensure Jellyfin can write thumbnails/artwork to media directories

View file

@ -135,7 +135,5 @@ in
}; };
}; };
}; };
networking.firewall.allowedTCPPorts = [ 80 443 ];
}; };
} }

View file

@ -19,7 +19,6 @@
# Prowlarr # Prowlarr
services.prowlarr = { services.prowlarr = {
enable = true; enable = true;
openFirewall = true;
dataDir = "/var/lib/prowlarr"; dataDir = "/var/lib/prowlarr";
}; };
}; };

View file

@ -6,7 +6,6 @@
# Radarr # Radarr
services.radarr = { services.radarr = {
enable = true; enable = true;
openFirewall = true; # Opens port 7878
dataDir = "/var/lib/radarr"; dataDir = "/var/lib/radarr";
user = "radarr"; user = "radarr";
group = "media"; group = "media";

View file

@ -6,7 +6,6 @@
# Sonarr # Sonarr
services.sonarr = { services.sonarr = {
enable = true; enable = true;
openFirewall = true;
dataDir = "/var/lib/sonarr"; dataDir = "/var/lib/sonarr";
user = "sonarr"; user = "sonarr";
group = "media"; group = "media";