fix(services): disable opening ports on many services

suasuasuasuasua · suasuasuasuasua · commit 0e328a4698f8 · 2025-05-30T18:54:31.000-06:00
i think proxy passing using nginx makes more sense
i shouldn't be able to just type in the port
diff --git a/modules/nixos/services/actual.nix b/modules/nixos/services/actual.nix
@@ -24,7 +24,6 @@ in
     # TODO: need to setup HTTPS to continue using...
     services.actual = {
       enable = true;
-      openFirewall = true;
       settings = {
         inherit (cfg) port;
       };
diff --git a/modules/nixos/services/adguardhome/default.nix b/modules/nixos/services/adguardhome/default.nix
@@ -29,9 +29,6 @@ in
       inherit settings;
 
       enable = true;
-      # https://search.nixos.org/options?channel=24.11&show=services.adguardhome.openFirewall&from=0&size=50&sort=relevance&type=packages&query=adguard
-      # opens the web port, not the dns port!
-      openFirewall = true;
     };
 
     services.nginx.virtualHosts = {
diff --git a/modules/nixos/services/audiobookshelf.nix b/modules/nixos/services/audiobookshelf.nix
@@ -22,7 +22,6 @@ in
 
       enable = true;
       host = "127.0.0.1";
-      openFirewall = true;
     };
 
     services.nginx.virtualHosts = {
diff --git a/modules/nixos/services/calibre.nix b/modules/nixos/services/calibre.nix
@@ -36,7 +36,6 @@ in
         inherit (cfg) libraries;
 
         enable = true;
-        openFirewall = true;
       };
 
       calibre-web = {
@@ -46,7 +45,6 @@ in
 
           ip = "127.0.0.1";
         };
-        openFirewall = true;
 
         options = {
           # NOTE: kinda ugly but you can only access one library
diff --git a/modules/nixos/services/code-server.nix b/modules/nixos/services/code-server.nix
@@ -46,7 +46,5 @@ in
         };
       };
     };
-
-    networking.firewall.allowedTCPPorts = [ cfg.port ];
   };
 }
diff --git a/modules/nixos/services/glances.nix b/modules/nixos/services/glances.nix
@@ -21,7 +21,6 @@ in
       inherit (cfg) port;
 
       enable = true;
-      openFirewall = true;
       extraArgs = [
         "--webserver"
       ];
diff --git a/modules/nixos/services/immich.nix b/modules/nixos/services/immich.nix
@@ -25,7 +25,6 @@ in
       inherit (cfg) port mediaLocation;
 
       enable = true;
-      openFirewall = true;
       machine-learning.enable = true;
       settings = { };
     };
diff --git a/modules/nixos/services/jellyfin.nix b/modules/nixos/services/jellyfin.nix
@@ -19,7 +19,6 @@ in
   config = lib.mkIf cfg.enable {
     services.jellyfin = {
       enable = true;
-      openFirewall = true;
     };
 
     services.nginx.virtualHosts = {
diff --git a/modules/nixos/services/jellyseerr.nix b/modules/nixos/services/jellyseerr.nix
@@ -21,7 +21,6 @@ in
       inherit (cfg) port;
 
       enable = true;
-      openFirewall = true;
     };
 
     services.nginx.virtualHosts = {
diff --git a/modules/nixos/services/mealie.nix b/modules/nixos/services/mealie.nix
@@ -17,11 +17,6 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    # no option to open firewall so do it manually!
-    networking.firewall.allowedTCPPorts = [
-      cfg.port
-    ];
-
     services.mealie = {
       inherit (cfg) port;
 
diff --git a/modules/nixos/services/navidrome.nix b/modules/nixos/services/navidrome.nix
@@ -23,7 +23,6 @@ in
   config = lib.mkIf cfg.enable {
     services.navidrome = {
       enable = true;
-      openFirewall = true;
 
       settings = {
         inherit (cfg) Port MusicFolder;
diff --git a/modules/nixos/services/paperless.nix b/modules/nixos/services/paperless.nix
@@ -22,10 +22,6 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    networking.firewall.allowedTCPPorts = [
-      cfg.port
-    ];
-
     services.paperless = {
       inherit (cfg) port mediaDir;
 
diff --git a/modules/nixos/services/samba.nix b/modules/nixos/services/samba.nix
@@ -40,12 +40,10 @@ in
         inherit settings;
 
         enable = true;
-        openFirewall = true;
       };
 
       samba-wsdd = {
         enable = true;
-        openFirewall = true;
       };
     };
   };
diff --git a/modules/nixos/services/stirling-pdf.nix b/modules/nixos/services/stirling-pdf.nix
@@ -26,8 +26,6 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    networking.firewall.allowedTCPPorts = [ cfg.port ];
-
     services.stirling-pdf = {
       inherit environment;
 
diff --git a/modules/nixos/services/syncthing.nix b/modules/nixos/services/syncthing.nix
@@ -38,8 +38,6 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    networking.firewall.allowedTCPPorts = [ cfg.port ];
-
     services.syncthing = {
       inherit (cfg)
         dataDir
diff --git a/modules/nixos/services/wastebin.nix b/modules/nixos/services/wastebin.nix
@@ -17,9 +17,6 @@ in
   };
 
   config = lib.mkIf cfg.enable {
-    # no option to open firewall so do it manually!
-    networking.firewall.allowedTCPPorts = [ cfg.port ];
-
     services.wastebin = {
       enable = true;
       settings = {

Original file line number	Diff line number	Diff line change
`@@ -46,7 +46,5 @@ in`
`46`	`46`	`};`
`47`	`47`	`};`
`48`	`48`	`};`
`49`		`-`
`50`		`- networking.firewall.allowedTCPPorts = [ cfg.port ];`
`51`	`49`	`};`
`52`	`50`	`}`