From 5c456d4a50e0048cce2de692e0fa55420fa3a478 Mon Sep 17 00:00:00 2001
From: Joakim Repomaa <joakim.repomaa@mocoapp.com>
Date: Fri, 7 Feb 2025 18:16:16 +0200
Subject: [PATCH] make sure web ports are allowed

---
 hosts/freun.dev/configuration.nix    | 9 ++++-----
 hosts/freun.dev/services/default.nix | 6 ++----
 modules/webserver.nix                | 2 +-
 3 files changed, 7 insertions(+), 10 deletions(-)

diff --git a/hosts/freun.dev/configuration.nix b/hosts/freun.dev/configuration.nix
index ef124b5..7956bad 100644
--- a/hosts/freun.dev/configuration.nix
+++ b/hosts/freun.dev/configuration.nix
@@ -121,11 +121,10 @@
     settings.PasswordAuthentication = false;
   };
 
-  # Open ports in the firewall.
-  networking.firewall.allowedTCPPorts = [ 22 ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-  # Or disable the firewall altogether.
-  # networking.firewall.enable = false;
+  modules.firewall = {
+    enable = true;
+    allInterfaces = [ "ssh" ];
+  };
 
   # Copy the NixOS configuration file and link it from the resulting system
   # (/run/current-system/configuration.nix). This is useful in case you
diff --git a/hosts/freun.dev/services/default.nix b/hosts/freun.dev/services/default.nix
index fb1533b..563cd46 100644
--- a/hosts/freun.dev/services/default.nix
+++ b/hosts/freun.dev/services/default.nix
@@ -17,10 +17,8 @@
 
   virtualisation.oci-containers.backend = "podman";
 
-  networking.firewall = {
-    trustedInterfaces = [ "podman1" ];
-    interfaces.podman1.allowedUDPPorts = [ 53 ];
-  };
+  networking.firewall.trustedInterfaces = [ "podman1" ];
+  modules.firewall.interfaces.podman1 = [ "dns" ];
 
   modules.webserver.enable = true;
 
diff --git a/modules/webserver.nix b/modules/webserver.nix
index 462b91f..aec0c7e 100644
--- a/modules/webserver.nix
+++ b/modules/webserver.nix
@@ -94,6 +94,6 @@ in
       };
     };
 
-    modules.firewall.allInterfaces = lib.mkDefault [ "web" ];
+    modules.firewall.allInterfaces = [ "web" ];
   };
 }