network: use internal domains

hosts/fujitsu/modules/jellyfin/default.nix

@@ -1,6 +1,12 @@
+{ config, ... }:
+let
+  domain = "media.vpn.rfive.de";
+in
 {
   services.jellyfin = {
     enable = true;
-    openFirewall = true;
   };
+  services.caddy.virtualHosts."http://${domain}".extraConfig = ''
+    reverse_proxy 127.0.0.1:8096
+  '';
 }

hosts/nuc/modules/adguard/default.nix

@@ -1,13 +1,19 @@
 { ... }:
+let
+  domain = "adguard.vpn.rfive.de";
+  port = 3000;
+in
 {
   networking.firewall.allowedTCPPorts = [ 53 ];
   networking.firewall.allowedUDPPorts = [ 53 ];
   services.adguardhome = {
     enable = true;
-    openFirewall = true;
     settings = {
       dns.bind_hosts = [ "192.168.42.2" ];
-      http.address = "0.0.0.0:3000";
+      http.address = "127.0.0.1:${toString port}";
     };
   };
+  services.caddy.virtualHosts."http://${domain}".extraConfig = ''
+    reverse_proxy 127.0.0.1:${toString port}
+  '';
 }

hosts/nuc/modules/caddy/default.nix

@@ -1,24 +0,0 @@
-{ config, ... }:
-{
-  services.caddy = {
-    enable = true;
-    email = "ca@${config.networking.domain}";
-    logFormat = "format console";
-    globalConfig = ''
-      servers {
-        metrics
-      }
-    '';
-    virtualHosts.":2018" = {
-      extraConfig = ''
-        metrics
-      '';
-      logFormat = ''
-        output discard
-      '';
-    };
-  };
-  systemd.services.caddy.environment.XDG_DATA_HOME = "/var/lib";
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
-  networking.firewall.allowedUDPPorts = [ 443 ];
-}

hosts/nuc/modules/indexing/prowlarr.nix

@@ -1,7 +1,12 @@
-{ ... }:
+{ config, ... }:
+let
+  domain = "index.vpn.rfive.de";
+in
 {
   services.prowlarr = {
     enable = true;
-    openFirewall = true;
   };
+  services.caddy.virtualHosts."http://${domain}".extraConfig = ''
+    reverse_proxy 127.0.0.1:${toString config.services.prowlarr.settings.server.port}
+  '';
 }

hosts/nuc/modules/indexing/radarr.nix

@@ -1,7 +1,12 @@
-{ ... }:
+{ config, ... }:
+let
+  domain = "movies.vpn.rfive.de";
+in
 {
   services.radarr = {
     enable = true;
-    openFirewall = true;
   };
+  services.caddy.virtualHosts."http://${domain}".extraConfig = ''
+    reverse_proxy 127.0.0.1:${toString config.services.radarr.settings.server.port}
+  '';
 }

hosts/nuc/modules/indexing/sonarr.nix

@@ -1,7 +1,12 @@
-{ ... }:
+{ config, ... }:
+let
+  domain = "shows.vpn.rfive.de";
+in
 {
   services.sonarr = {
     enable = true;
-    openFirewall = true;
   };
+  services.caddy.virtualHosts."http://${domain}".extraConfig = ''
+    reverse_proxy 127.0.0.1:${toString config.services.sonarr.settings.server.port}
+  '';
 }

hosts/nuc/modules/torrent/default.nix

@@ -1,5 +1,6 @@
 { config, pkgs, ... }:
 let
+  domain = "torrents.vpn.rfive.de";
   cfg = {
     stateDir = "/var/lib/qbittorrent";
     downloadDir = "/var/videos/"; # TODO support other Media Types
@@ -124,7 +125,9 @@ in
       SystemCallFilter = "@system-service";
     };
   };
-  networking.firewall.allowedTCPPorts = [ cfg.port ];
+  services.caddy.virtualHosts."http://${domain}".extraConfig = ''
+    reverse_proxy 127.0.0.1:${toString cfg.port}
+  '';
   systemd.tmpfiles.rules = [
     # ensure downloads directory is created, set permissions
     "d ${cfg.stateDir} - ${cfg.user} ${cfg.user} - -"