From 644420481e81b5903700638ee3eecf6574b8bb42 Mon Sep 17 00:00:00 2001 From: DannyDannyDanny Date: Sat, 25 Apr 2026 13:26:37 +0200 Subject: [PATCH] =?UTF-8?q?fix(sunken-ship):=20bbbot=208080=20only=20allow?= =?UTF-8?q?ed=20on=20ZT=20interface=20=F0=9F=94=90?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- nixos/hosts/sunken-ship.nix | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/nixos/hosts/sunken-ship.nix b/nixos/hosts/sunken-ship.nix index 9f14475..609bb83 100644 --- a/nixos/hosts/sunken-ship.nix +++ b/nixos/hosts/sunken-ship.nix @@ -73,12 +73,17 @@ publish = { enable = true; userServices = true; }; }; - # Open firewall for AirPlay (mDNS + UxPlay default ports) + Navidrome - # + bbbot HTTP backend (proxied by Caddy on vps-relay over ZT). - # TODO 4g: tighten to only the VPS's ZT IPv6 instead of any source. + # Open firewall for AirPlay (mDNS + UxPlay default ports) + Navidrome. + # bbbot's HTTP backend (port 8080) is intentionally NOT in the global + # allowedTCPPorts — it's only allowed on the ZeroTier interface + # (clan-managed name; matches anything starting with `zt`) so the + # vps-relay Caddy can reach it via the ZT mesh. Same trick could lock + # 4533 down later but Navidrome stays globally accessible for now (LAN + # convenience). networking.firewall = { - allowedTCPPorts = [ 7000 7001 7100 4533 8080 ]; + allowedTCPPorts = [ 7000 7001 7100 4533 ]; allowedUDPPorts = [ 5353 6000 6001 7011 ]; + interfaces."zt+".allowedTCPPorts = [ 8080 ]; }; # Navidrome — self-hosted music streaming server (Subsonic API).