From d86187e2eeb915988e45bbc5b9cefae480a3774f Mon Sep 17 00:00:00 2001
From: Daniel Kempkens <daniel+git@kempkens.io>
Date: Sun, 5 Mar 2023 23:28:42 +0100
Subject: [PATCH] sail: make firewall rules more specific

---
 system/nixos/acme-sail.nix  | 2 +-
 system/nixos/atuin-sync.nix | 2 +-
 system/nixos/libreddit.nix  | 5 -----
 system/nixos/synapse.nix    | 2 +-
 4 files changed, 3 insertions(+), 8 deletions(-)

diff --git a/system/nixos/acme-sail.nix b/system/nixos/acme-sail.nix
index c677c20..9e6bf69 100644
--- a/system/nixos/acme-sail.nix
+++ b/system/nixos/acme-sail.nix
@@ -3,9 +3,9 @@
 {
   security.acme = {
     acceptTerms = true;
-    email = "acme@kempkens.io";
 
     defaults = {
+      email = "acme@kempkens.io";
       dnsProvider = "cloudflare";
       credentialsFile = config.age.secrets.acme-credentials.path;
       dnsResolver = "1.1.1.1:53";
diff --git a/system/nixos/atuin-sync.nix b/system/nixos/atuin-sync.nix
index 8554c41..595f630 100644
--- a/system/nixos/atuin-sync.nix
+++ b/system/nixos/atuin-sync.nix
@@ -26,5 +26,5 @@
     };
   };
 
-  networking.firewall.allowedTCPPorts = [ 8015 ];
+  networking.firewall.interfaces."tailscale0".allowedTCPPorts = [ 8015 ];
 }
diff --git a/system/nixos/libreddit.nix b/system/nixos/libreddit.nix
index b610743..ef511a5 100644
--- a/system/nixos/libreddit.nix
+++ b/system/nixos/libreddit.nix
@@ -9,11 +9,6 @@
   };
 
   services.nginx = {
-    enable = true;
-    recommendedOptimisation = true;
-    recommendedGzipSettings = true;
-    recommendedBrotliSettings = true;
-
     virtualHosts."libreddit.only.internal" = {
       listen = [
         {
diff --git a/system/nixos/synapse.nix b/system/nixos/synapse.nix
index ad8414a..0342280 100644
--- a/system/nixos/synapse.nix
+++ b/system/nixos/synapse.nix
@@ -87,5 +87,5 @@
     extraConfigFiles = [ config.age.secrets.synapse-extra-config.path ];
   };
 
-  networking.firewall.allowedTCPPorts = [ 8008 ];
+  networking.firewall.interfaces."enp7s0".allowedTCPPorts = [ 8008 ];
 }