restrict rtmp to campus nets and clean up nft rules

2025-04-24 17:05:24 +02:00 · 2025-04-24 17:05:24 +02:00 · 8eab2484b2
commit 8eab2484b2
parent 23af7fd7cd
3 changed files with 8 additions and 9 deletions
--- a/modules/ldap/default.nix
+++ b/modules/ldap/default.nix
@ -82,9 +82,4 @@ in
      };
    };
  };
-  networking.firewall = {
-    extraInputRules = ''
-      ip saddr { 141.30.86.192/26, 141.76.100.128/25, 10.88.0.1/16 } tcp dport 636 accept comment "Allow ldaps access from office nets and podman"
-    '';
-  };
 }
--- a/modules/stream.nix
+++ b/modules/stream.nix
@ -1,13 +1,12 @@
 { config, ... }:
+let cfg = config.services.owncast;
+in
 {
  services = {
    nginx = {
      virtualHosts = {
        "stream.${config.networking.domain}" = {
          locations."/" =
-            let
-              cfg = config.services.owncast;
-            in
            {
              proxyPass = "http://${toString cfg.listen}:${toString cfg.port}";
              proxyWebsockets = true;
@ -19,8 +18,12 @@
      enable = true;
      port = 13142;
      listen = "[::ffff:127.0.0.1]";
-      openFirewall = true;
      rtmp-port = 1935;
    };
  };
+  networking.firewall = {
+    extraInputRules = ''
+      ip saddr {141.30.0.0/16, 141.76.0.0/16} tcp dport ${toString cfg.rtmp-port} accept comment "Allow rtmp access from campus nets"
+    '';
+  };
 }