firewall: separate into module requirements

Signed-off-by: Myned <dev@bjork.tech>
2025-02-06 09:17:21 -06:00 · 2025-02-06 09:17:21 -06:00 · c001a1df24
commit c001a1df24
parent 748a167200
5 changed files with 39 additions and 20 deletions
--- a/options/custom/containers/coturn.nix
+++ b/options/custom/containers/coturn.nix
@ -46,5 +46,25 @@ in {
        };
      };
    };
+
+    networking.firewall = {
+      allowedTCPPorts = [
+        3478 # TURN
+        5349 # TURN
+      ];
+
+      allowedUDPPorts = [
+        3478 # TURN
+        5349 # TURN
+      ];
+
+      allowedUDPPortRanges = [
+        {
+          # TURN
+          from = 49152;
+          to = 65535;
+        }
+      ];
+    };
  };
 }
--- a/options/custom/containers/oryx.nix
+++ b/options/custom/containers/oryx.nix
@ -38,5 +38,16 @@ in {
        volumes = ["${config.custom.containers.directory}/oryx/data:/data"];
      };
    };
+
+    networking.firewall = {
+      allowedTCPPorts = [
+        1935 # RTMP
+      ];
+
+      allowedUDPPorts = [
+        8000 # WebRTC
+        10080 # SRT
+      ];
+    };
  };
 }
--- a/options/custom/containers/owncast.nix
+++ b/options/custom/containers/owncast.nix
@ -25,5 +25,11 @@ in {
        ];
      };
    };
+
+    networking.firewall = {
+      allowedTCPPorts = [
+        1935 # RTMP
+      ];
+    };
  };
 }
--- a/options/custom/services/caddy.nix
+++ b/options/custom/services/caddy.nix
@ -54,29 +54,9 @@ in {
    # https://github.com/coturn/coturn/blob/master/docker/coturn/README.md
    # https://element-hq.github.io/synapse/latest/turn-howto.html
    networking.firewall = {
-      enable = true;
-
      allowedTCPPorts = [
        80 # HTTP
        443 # HTTPS
-        1935 # RTMP
-        3478 # TURN
-        5349 # TURN
-      ];
-
-      allowedUDPPorts = [
-        3478 # TURN
-        5349 # TURN
-        8000 # WebRTC
-        10080 # SRT
-      ];
-
-      allowedUDPPortRanges = [
-        {
-          # TURN
-          from = 49152;
-          to = 65535;
-        }
      ];
    };
  };
--- a/options/custom/settings/networking.nix
+++ b/options/custom/settings/networking.nix
@ -9,6 +9,7 @@ in {
  options.custom.settings.networking = {
    enable = mkOption {default = false;};
    dns = mkOption {default = config.custom.default;};
+    firewall = mkOption {default = config.custom.default;};
    ipv4 = mkOption {default = null;};
    ipv6 = mkOption {default = null;};
    networkd = mkOption {default = !cfg.networkmanager;};
@ -30,6 +31,7 @@ in {
    # https://wiki.nixos.org/wiki/Networking
    networking = {
      hostName = config.custom.hostname;
+      firewall.enable = cfg.firewall;
      useNetworkd = cfg.networkd;
      wireless.iwd.enable = cfg.wifi;