mediaserver: drop no-op firewall rules, close unused DR forwards
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
parent
f65675bd80
commit
8dd70a2d9d
12 changed files with 8 additions and 37 deletions
|
|
@ -43,8 +43,8 @@
|
||||||
allowReboot = true;
|
allowReboot = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
# Open firewall for SSH
|
# WAN exposure is controlled by nftables in services/router.nix +
|
||||||
networking.firewall.allowedTCPPorts = [ 22 11434 ];
|
# ports.toml (networking.firewall is disabled on this host).
|
||||||
services.openssh = {
|
services.openssh = {
|
||||||
enable = true;
|
enable = true;
|
||||||
settings = {
|
settings = {
|
||||||
|
|
|
||||||
21
ports.toml
21
ports.toml
|
|
@ -45,22 +45,5 @@ name = "7DTD-coop voice/dynamic"
|
||||||
ports = "26911-26912"
|
ports = "26911-26912"
|
||||||
protocol = "udp"
|
protocol = "udp"
|
||||||
|
|
||||||
[[forward]]
|
# DR (Dungeon Runners) forwards removed — services/dr-server.nix is disabled.
|
||||||
name = "DR auth"
|
# Re-add 2110 tcp, 2603 both, 2604-2605 udp, 2606 tcp if it comes back.
|
||||||
port = 2110
|
|
||||||
protocol = "tcp"
|
|
||||||
|
|
||||||
[[forward]]
|
|
||||||
name = "DR game"
|
|
||||||
port = 2603
|
|
||||||
protocol = "both"
|
|
||||||
|
|
||||||
[[forward]]
|
|
||||||
name = "DR aux UDP"
|
|
||||||
ports = "2604-2605"
|
|
||||||
protocol = "udp"
|
|
||||||
|
|
||||||
[[forward]]
|
|
||||||
name = "DR queue"
|
|
||||||
port = 2606
|
|
||||||
protocol = "tcp"
|
|
||||||
|
|
|
||||||
|
|
@ -45,8 +45,7 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# LAN DNS — router blocks WAN:53 so this is effectively LAN-only
|
# LAN clients reach :53 via the nftables "LAN trusted" rule in router.nix;
|
||||||
networking.firewall.allowedTCPPorts = [ 53 ];
|
# WAN:53 is dropped there.
|
||||||
networking.firewall.allowedUDPPorts = [ 53 ];
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -6,7 +6,6 @@
|
||||||
# Bazarr
|
# Bazarr
|
||||||
services.bazarr = {
|
services.bazarr = {
|
||||||
enable = true;
|
enable = true;
|
||||||
openFirewall = true; # Opens port 7878
|
|
||||||
dataDir = "/var/lib/bazarr";
|
dataDir = "/var/lib/bazarr";
|
||||||
user = "bazarr";
|
user = "bazarr";
|
||||||
group = "media";
|
group = "media";
|
||||||
|
|
|
||||||
|
|
@ -66,7 +66,7 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 2110 2603 2604 2605 2606 ];
|
# WAN forwards for 2110/2603-2606 were removed from ports.toml when this
|
||||||
networking.firewall.allowedUDPPorts = [ 2110 2603 2604 2605 2606 ];
|
# service was disabled — re-add them there if this comes back.
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -187,8 +187,5 @@
|
||||||
StartLimitIntervalSec = 300;
|
StartLimitIntervalSec = 300;
|
||||||
StartLimitBurst = 5;
|
StartLimitBurst = 5;
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 26900 26910 ];
|
|
||||||
networking.firewall.allowedUDPPorts = [ 26900 26901 26902 26910 26911 26912 ];
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -87,7 +87,6 @@ in
|
||||||
|
|
||||||
services.homepage-dashboard = {
|
services.homepage-dashboard = {
|
||||||
enable = true;
|
enable = true;
|
||||||
openFirewall = true;
|
|
||||||
listenPort = 8084;
|
listenPort = 8084;
|
||||||
|
|
||||||
# Allow access from anywhere on the LAN
|
# Allow access from anywhere on the LAN
|
||||||
|
|
|
||||||
|
|
@ -5,7 +5,6 @@
|
||||||
# Jellyfin
|
# Jellyfin
|
||||||
services.jellyfin = {
|
services.jellyfin = {
|
||||||
enable = true;
|
enable = true;
|
||||||
openFirewall = true;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
# Ensure Jellyfin can write thumbnails/artwork to media directories
|
# Ensure Jellyfin can write thumbnails/artwork to media directories
|
||||||
|
|
|
||||||
|
|
@ -135,7 +135,5 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -19,7 +19,6 @@
|
||||||
# Prowlarr
|
# Prowlarr
|
||||||
services.prowlarr = {
|
services.prowlarr = {
|
||||||
enable = true;
|
enable = true;
|
||||||
openFirewall = true;
|
|
||||||
dataDir = "/var/lib/prowlarr";
|
dataDir = "/var/lib/prowlarr";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -6,7 +6,6 @@
|
||||||
# Radarr
|
# Radarr
|
||||||
services.radarr = {
|
services.radarr = {
|
||||||
enable = true;
|
enable = true;
|
||||||
openFirewall = true; # Opens port 7878
|
|
||||||
dataDir = "/var/lib/radarr";
|
dataDir = "/var/lib/radarr";
|
||||||
user = "radarr";
|
user = "radarr";
|
||||||
group = "media";
|
group = "media";
|
||||||
|
|
|
||||||
|
|
@ -6,7 +6,6 @@
|
||||||
# Sonarr
|
# Sonarr
|
||||||
services.sonarr = {
|
services.sonarr = {
|
||||||
enable = true;
|
enable = true;
|
||||||
openFirewall = true;
|
|
||||||
dataDir = "/var/lib/sonarr";
|
dataDir = "/var/lib/sonarr";
|
||||||
user = "sonarr";
|
user = "sonarr";
|
||||||
group = "media";
|
group = "media";
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue