fix(sunken-ship): bbbot 8080 only allowed on ZT interface 🔐
This commit is contained in:
DannyDannyDanny
parent
3b5288a48c
commit
644420481e
1 changed files with 9 additions and 4 deletions
|
|
@ -73,12 +73,17 @@
|
||||||
publish = { enable = true; userServices = true; };
|
publish = { enable = true; userServices = true; };
|
||||||
};
|
};
|
||||||
|
|
||||||
# Open firewall for AirPlay (mDNS + UxPlay default ports) + Navidrome
|
# Open firewall for AirPlay (mDNS + UxPlay default ports) + Navidrome.
|
||||||
# + bbbot HTTP backend (proxied by Caddy on vps-relay over ZT).
|
# bbbot's HTTP backend (port 8080) is intentionally NOT in the global
|
||||||
# TODO 4g: tighten to only the VPS's ZT IPv6 instead of any source.
|
# allowedTCPPorts — it's only allowed on the ZeroTier interface
|
||||||
|
# (clan-managed name; matches anything starting with `zt`) so the
|
||||||
|
# vps-relay Caddy can reach it via the ZT mesh. Same trick could lock
|
||||||
|
# 4533 down later but Navidrome stays globally accessible for now (LAN
|
||||||
|
# convenience).
|
||||||
networking.firewall = {
|
networking.firewall = {
|
||||||
allowedTCPPorts = [ 7000 7001 7100 4533 8080 ];
|
allowedTCPPorts = [ 7000 7001 7100 4533 ];
|
||||||
allowedUDPPorts = [ 5353 6000 6001 7011 ];
|
allowedUDPPorts = [ 5353 6000 6001 7011 ];
|
||||||
|
interfaces."zt+".allowedTCPPorts = [ 8080 ];
|
||||||
};
|
};
|
||||||
|
|
||||||
# Navidrome — self-hosted music streaming server (Subsonic API).
|
# Navidrome — self-hosted music streaming server (Subsonic API).
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue