From 87511fc1b88de59b0259603461b338fac2d35ae9 Mon Sep 17 00:00:00 2001 From: "Giulio De Pasquale (aider)" Date: Sat, 26 Apr 2025 16:58:23 +0100 Subject: [PATCH] refactor: abstract vhost allow rules with new allowVPN, allowLAN, allowWAN options --- modules/core/vhost.nix | 27 +++++++++++++++++++------- modules/services/bazarr/default.nix | 6 ++---- modules/services/gitea/default.nix | 2 ++ modules/services/immich/default.nix | 4 ++-- modules/services/jellyfin/default.nix | 12 ++++-------- modules/services/jellyseer/default.nix | 6 ++---- modules/services/lidarr/default.nix | 6 ++---- modules/services/navidrome/default.nix | 3 ++- modules/services/nzbget/default.nix | 6 ++---- modules/services/prowlarr/default.nix | 6 ++---- modules/services/radarr/default.nix | 7 ++----- modules/services/sonarr/default.nix | 6 ++---- 12 files changed, 44 insertions(+), 47 deletions(-) diff --git a/modules/core/vhost.nix b/modules/core/vhost.nix index 2963edf..88ec631 100644 --- a/modules/core/vhost.nix +++ b/modules/core/vhost.nix @@ -52,6 +52,24 @@ in description = "IP address or CIDR block to allow."; }; + allowVPN = mkOption { + type = types.bool; + default = false; + description = "If set to true, allow VPN traffic."; + }; + + allowLAN = mkOption { + type = types.bool; + default = false; + description = "If set to true, allow LAN traffic."; + }; + + allowWAN = mkOption { + type = types.bool; + default = false; + description = "If set to true, allow WAN traffic. If false, deny all WAN traffic."; + }; + path = mkOption { type = types.str; default = ""; @@ -62,12 +80,6 @@ in default = true; description = "Force the use of recommended proxy configuration."; }; - - allowWAN = mkOption { - type = types.bool; - default = false; - description = "If set to false, deny all WAN traffic."; - }; }; }); default = { }; @@ -92,7 +104,8 @@ in recommendedProxySettings = location.recommendedProxySettings; extraConfig = '' ${concatMapStringsSep "\n" (allowCIDR: "allow ${allowCIDR};") location.allow} - ${optionalString location.allowLan ''allow ${config.pepe.core.network.interfaces.${config.pepe.core.network.interfaceTypes.lan}.net};''} + ${optionalString location.allowLAN ''allow ${config.pepe.core.network.interfaces.${config.pepe.core.network.interfaceTypes.lan}.net};''} + ${optionalString location.allowVPN ''allow ${config.pepe.core.network.interfaces.${config.pepe.core.network.interfaceTypes.vpn}.net};''} ${optionalString (!location.allowWAN) "deny all;"} '' + location.extraConfig; }) diff --git a/modules/services/bazarr/default.nix b/modules/services/bazarr/default.nix index c81db67..3bb5621 100644 --- a/modules/services/bazarr/default.nix +++ b/modules/services/bazarr/default.nix @@ -26,10 +26,8 @@ in dnsInterfaces = [ interfaceTypes.vpn ]; locations."/" = { port = 6767; - allowLan = true; - allow = [ - interfaces.${interfaceTypes.vpn}.net - ]; + allowLAN = true; + allowVPN = true; }; }; diff --git a/modules/services/gitea/default.nix b/modules/services/gitea/default.nix index bc6bbb2..33076fe 100644 --- a/modules/services/gitea/default.nix +++ b/modules/services/gitea/default.nix @@ -22,6 +22,8 @@ in dnsInterfaces = [ interfaceTypes.lan interfaceTypes.vpn ]; locations."/" = { port = config.services.gitea.settings.server.HTTP_PORT; + allowLAN = true; + allowVPN = true; allowWAN = true; }; }; diff --git a/modules/services/immich/default.nix b/modules/services/immich/default.nix index d37a816..4df4ba5 100644 --- a/modules/services/immich/default.nix +++ b/modules/services/immich/default.nix @@ -27,9 +27,9 @@ in locations."/" = { host = "[::1]"; port = config.services.immich.port; - allowLan = true; + allowLAN = true; + allowVPN = true; allowWAN = true; - allow = [ interfaces.${interfaceTypes.vpn}.net ]; proxyWebsockets = true; extraConfig = '' # allow large file uploads diff --git a/modules/services/jellyfin/default.nix b/modules/services/jellyfin/default.nix index c37f4f1..60333b2 100644 --- a/modules/services/jellyfin/default.nix +++ b/modules/services/jellyfin/default.nix @@ -29,19 +29,15 @@ in locations = { "/" = { port = 8096; - allowLan = true; - allow = [ - interfaces.${interfaceTypes.vpn}.net - ]; + allowLAN = true; + allowVPN = true; }; "/socket" = { port = 8096; - allowLan = true; + allowLAN = true; + allowVPN = true; proxyWebsockets = true; - allow = [ - interfaces.${interfaceTypes.vpn}.net - ]; }; }; }; diff --git a/modules/services/jellyseer/default.nix b/modules/services/jellyseer/default.nix index 24d3939..5e1df9b 100644 --- a/modules/services/jellyseer/default.nix +++ b/modules/services/jellyseer/default.nix @@ -25,10 +25,8 @@ in dnsInterfaces = [ interfaceTypes.vpn interfaceTypes.lan ]; locations."/" = { port = config.services.jellyseerr.port; - allowLan = true; - allow = [ - interfaces.${interfaceTypes.vpn}.net - ]; + allowLAN = true; + allowVPN = true; }; }; }; diff --git a/modules/services/lidarr/default.nix b/modules/services/lidarr/default.nix index 1479ee4..7b59284 100644 --- a/modules/services/lidarr/default.nix +++ b/modules/services/lidarr/default.nix @@ -26,10 +26,8 @@ in dnsInterfaces = [ interfaceTypes.lan interfaceTypes.vpn ]; locations."/" = { port = 8686; - allowLan = true; - allow = [ - interfaces.${interfaceTypes.vpn}.net - ]; + allowLAN = true; + allowVPN = true; }; }; diff --git a/modules/services/navidrome/default.nix b/modules/services/navidrome/default.nix index ddba714..50a6208 100644 --- a/modules/services/navidrome/default.nix +++ b/modules/services/navidrome/default.nix @@ -50,7 +50,8 @@ in dnsInterfaces = [ interfaceTypes.lan interfaceTypes.vpn ]; locations."/" = { port = 4533; - allowLan = true; + allowLAN = true; + allowVPN = true; allowWAN = true; }; }; diff --git a/modules/services/nzbget/default.nix b/modules/services/nzbget/default.nix index e769bdf..8f760ed 100644 --- a/modules/services/nzbget/default.nix +++ b/modules/services/nzbget/default.nix @@ -26,10 +26,8 @@ in dnsInterfaces = [ interfaceTypes.vpn interfaceTypes.lan ]; locations."/" = { port = 6789; - allowLan = true; - allow = [ - interfaces.${interfaceTypes.vpn}.net - ]; + allowLAN = true; + allowVPN = true; }; }; diff --git a/modules/services/prowlarr/default.nix b/modules/services/prowlarr/default.nix index ca4a231..547b6b1 100644 --- a/modules/services/prowlarr/default.nix +++ b/modules/services/prowlarr/default.nix @@ -25,11 +25,9 @@ in dnsInterfaces = [ interfaceTypes.vpn interfaceTypes.lan ]; locations."/" = { port = 9696; - allowLan = true; + allowLAN = true; + allowVPN = true; proxyWebsockets = true; - allow = [ - interfaces.${interfaceTypes.vpn}.net - ]; }; }; diff --git a/modules/services/radarr/default.nix b/modules/services/radarr/default.nix index f5bbab0..065d11e 100644 --- a/modules/services/radarr/default.nix +++ b/modules/services/radarr/default.nix @@ -25,11 +25,8 @@ in dnsInterfaces = [ interfaceTypes.vpn interfaceTypes.lan ]; locations."/" = { port = 7878; - allowLan = true; - - allow = [ - interfaces.${interfaceTypes.vpn}.net - ]; + allowLAN = true; + allowVPN = true; }; }; diff --git a/modules/services/sonarr/default.nix b/modules/services/sonarr/default.nix index f994081..8bc0b42 100644 --- a/modules/services/sonarr/default.nix +++ b/modules/services/sonarr/default.nix @@ -25,10 +25,8 @@ in dnsInterfaces = [ interfaceTypes.vpn interfaceTypes.lan ]; locations."/" = { port = 8989; - allowLan = true; - allow = [ - interfaces.${interfaceTypes.vpn}.net - ]; + allowLAN = true; + allowVPN = true; }; };