From 0b2fbc2c6d2a294946ebd4d7a369466d34d237f4 Mon Sep 17 00:00:00 2001
From: SebastianStork <sebastian.stork@pm.me>
Date: Thu, 28 Aug 2025 17:55:47 +0200
Subject: [PATCH] Replace `127.0.0.1` with `localhost`

---
 modules/system/services/alloy.nix                     | 2 +-
 modules/system/services/crowdsec/default.nix          | 4 ++--
 modules/system/services/crowdsec/firewall-bouncer.nix | 2 +-
 modules/system/services/gatus.nix                     | 5 ++++-
 modules/system/services/nextcloud/default.nix         | 2 +-
 modules/system/services/ntfy.nix                      | 2 +-
 modules/system/services/syncthing.nix                 | 2 +-
 modules/system/services/victorialogs.nix              | 2 +-
 8 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/modules/system/services/alloy.nix b/modules/system/services/alloy.nix
index 696c437..c7330e5 100644
--- a/modules/system/services/alloy.nix
+++ b/modules/system/services/alloy.nix
@@ -24,7 +24,7 @@ in
     services.alloy = {
       enable = true;
       extraFlags = [
-        "--server.http.listen-addr=127.0.0.1:${builtins.toString cfg.port}"
+        "--server.http.listen-addr=localhost:${builtins.toString cfg.port}"
         "--disable-reporting"
       ];
     };
diff --git a/modules/system/services/crowdsec/default.nix b/modules/system/services/crowdsec/default.nix
index 607edae..6c72c55 100644
--- a/modules/system/services/crowdsec/default.nix
+++ b/modules/system/services/crowdsec/default.nix
@@ -52,8 +52,8 @@ in
       package = inputs.crowdsec.packages.${pkgs.system}.crowdsec;
       enrollKeyFile = config.sops.secrets."crowdsec/enrollment-key".path;
       settings = {
-        api.server.listen_uri = "127.0.0.1:${builtins.toString cfg.apiPort}";
-        cscli.prometheus_uri = "http://127.0.0.1:${builtins.toString cfg.prometheusPort}";
+        api.server.listen_uri = "localhost:${builtins.toString cfg.apiPort}";
+        cscli.prometheus_uri = "http://localhost:${builtins.toString cfg.prometheusPort}";
       };
 
       allowLocalJournalAccess = true;
diff --git a/modules/system/services/crowdsec/firewall-bouncer.nix b/modules/system/services/crowdsec/firewall-bouncer.nix
index 0656d38..42e6c3d 100644
--- a/modules/system/services/crowdsec/firewall-bouncer.nix
+++ b/modules/system/services/crowdsec/firewall-bouncer.nix
@@ -19,7 +19,7 @@ in
       package = inputs.crowdsec.packages.${pkgs.system}.crowdsec-firewall-bouncer;
       settings = {
         api_key = "cs-firewall-bouncer";
-        api_url = "http://127.0.0.1:${builtins.toString cfg.apiPort}";
+        api_url = "http://localhost:${builtins.toString cfg.apiPort}";
       };
     };
 
diff --git a/modules/system/services/gatus.nix b/modules/system/services/gatus.nix
index d843927..866fb11 100644
--- a/modules/system/services/gatus.nix
+++ b/modules/system/services/gatus.nix
@@ -96,7 +96,10 @@ in
 
       environmentFile = config.sops.templates."gatus.env".path;
       settings = {
-        web.port = cfg.port;
+        web = {
+          address = "localhost";
+          port = cfg.port;
+        };
 
         storage = {
           type = "sqlite";
diff --git a/modules/system/services/nextcloud/default.nix b/modules/system/services/nextcloud/default.nix
index 15c78e1..76b97b1 100644
--- a/modules/system/services/nextcloud/default.nix
+++ b/modules/system/services/nextcloud/default.nix
@@ -50,7 +50,7 @@ in
       https = true;
       settings = {
         overwriteProtocol = "https";
-        trusted_proxies = [ "127.0.0.1" ];
+        trusted_proxies = [ "localhost" ];
         log_type = "file";
         default_phone_region = "DE";
         maintenance_window_start = "2"; # UTC
diff --git a/modules/system/services/ntfy.nix b/modules/system/services/ntfy.nix
index 832d693..abdf7c8 100644
--- a/modules/system/services/ntfy.nix
+++ b/modules/system/services/ntfy.nix
@@ -25,7 +25,7 @@ in
       enable = true;
       settings = {
         base-url = "https://${cfg.domain}";
-        listen-http = ":${builtins.toString cfg.port}";
+        listen-http = "localhost:${builtins.toString cfg.port}";
         behind-proxy = true;
         web-root = "disable";
       };
diff --git a/modules/system/services/syncthing.nix b/modules/system/services/syncthing.nix
index 7778f15..3bc8557 100644
--- a/modules/system/services/syncthing.nix
+++ b/modules/system/services/syncthing.nix
@@ -70,7 +70,7 @@ in
       group = lib.mkIf (!cfg.isServer) "users";
       dataDir = lib.mkIf (!cfg.isServer) "/home/seb";
 
-      guiAddress = lib.mkIf cfg.isServer "127.0.0.1:${builtins.toString cfg.gui.port}";
+      guiAddress = lib.mkIf cfg.isServer "localhost:${builtins.toString cfg.gui.port}";
 
       cert = lib.mkIf useStaticTls config.sops.secrets."syncthing/cert".path;
       key = lib.mkIf useStaticTls config.sops.secrets."syncthing/key".path;
diff --git a/modules/system/services/victorialogs.nix b/modules/system/services/victorialogs.nix
index 39bd587..890559c 100644
--- a/modules/system/services/victorialogs.nix
+++ b/modules/system/services/victorialogs.nix
@@ -34,7 +34,7 @@ in
       enable = true;
       package = pkgs-unstable.victorialogs;
 
-      listenAddress = ":${builtins.toString cfg.port}";
+      listenAddress = "localhost:${builtins.toString cfg.port}";
       extraOptions = [ "-retention.maxDiskSpaceUsageBytes=${cfg.maxDiskSpaceUsage}" ];
     };
   };