wurzel/fruitbasket
10
1
Fork 1
Code Issues 5 Pull requests Projects Releases Packages Wiki Activity

restrict rtmp to campus nets and clean up nft rules

Browse source
This commit is contained in:
Rouven Seifert 2025-04-24 17:05:24 +02:00
parent 23af7fd7cd
commit 8eab2484b2
Signed by: rouven.seifert
SSH key fingerprint: SHA256:WedRxwyCvqwDG6cd16qf/fizYDK1pvN4p5bawXlnKk0
3 changed files with 8 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

1
hosts/quitte/network.nix
View file

@ -15,6 +15,7 @@
firewall = { firewall = {
logRefusedConnections = false; logRefusedConnections = false;
trustedInterfaces = [ "podman0"];
}; };
}; };

5
modules/ldap/default.nix
View file

@ -82,9 +82,4 @@ in
}; };
}; };
}; };
networking.firewall = {
extraInputRules = ''
ip saddr { 141.30.86.192/26, 141.76.100.128/25, 10.88.0.1/16 } tcp dport 636 accept comment "Allow ldaps access from office nets and podman"
'';
};
} }

11
modules/stream.nix
View file

@ -1,13 +1,12 @@
{ config, ... }: { config, ... }:
let cfg = config.services.owncast;
in
{ {
services = { services = {
nginx = { nginx = {
virtualHosts = { virtualHosts = {
"stream.${config.networking.domain}" = { "stream.${config.networking.domain}" = {
locations."/" = locations."/" =
let
cfg = config.services.owncast;
in
{ {
proxyPass = "http://${toString cfg.listen}:${toString cfg.port}"; proxyPass = "http://${toString cfg.listen}:${toString cfg.port}";
proxyWebsockets = true; proxyWebsockets = true;
@ -19,8 +18,12 @@
enable = true; enable = true;
port = 13142; port = 13142;
listen = "[::ffff:127.0.0.1]"; listen = "[::ffff:127.0.0.1]";
openFirewall = true;
rtmp-port = 1935; rtmp-port = 1935;
}; };
}; };
networking.firewall = {
extraInputRules = ''
ip saddr {141.30.0.0/16, 141.76.0.0/16} tcp dport ${toString cfg.rtmp-port} accept comment "Allow rtmp access from campus nets"
'';
};
} }