diff --git a/modules/system/meta/ports.nix b/modules/system/meta/ports.nix index bf24d39..c511389 100644 --- a/modules/system/meta/ports.nix +++ b/modules/system/meta/ports.nix @@ -10,7 +10,11 @@ let in { options.meta.ports = { - list = lib.mkOption { + tcp.list = lib.mkOption { + type = lib.types.listOf lib.types.port; + default = [ ]; + }; + udp.list = lib.mkOption { type = lib.types.listOf lib.types.port; default = [ ]; }; @@ -20,8 +24,9 @@ in config = lib.mkIf cfg.assertUnique { assertions = let - duplicatePorts = - options.meta.ports.list.definitionsWithLocations + findDuplicatePorts = + protocol: + options.meta.ports.${protocol}.list.definitionsWithLocations |> lib.concatMap ( entry: entry.value @@ -33,7 +38,8 @@ in |> lib.groupBy (entry: builtins.toString entry.port) |> lib.filterAttrs (_: entries: lib.length entries > 1); - errorMessage = + mkErrorMessage = + duplicatePorts: duplicatePorts |> lib.mapAttrsToList ( port: entries: @@ -41,11 +47,19 @@ in + (entries |> lib.map (entry: " - ${entry.file}") |> lib.concatLines) ) |> lib.concatStrings; + + duplicateTcpPorts = findDuplicatePorts "tcp"; + + duplicateUdpPorts = findDuplicatePorts "udp"; in [ { - assertion = duplicatePorts == { }; - message = errorMessage; + assertion = duplicateTcpPorts == { }; + message = mkErrorMessage duplicateTcpPorts; + } + { + assertion = duplicateUdpPorts == { }; + message = mkErrorMessage duplicateUdpPorts; } ]; }; diff --git a/modules/system/services/actualbudget.nix b/modules/system/services/actualbudget.nix index c5ab07b..53909e9 100644 --- a/modules/system/services/actualbudget.nix +++ b/modules/system/services/actualbudget.nix @@ -12,14 +12,14 @@ in }; port = lib.mkOption { type = lib.types.port; - default = 8888; + default = 5006; }; }; config = lib.mkIf cfg.enable { meta = { domains.list = [ cfg.domain ]; - ports.list = [ cfg.port ]; + ports.tcp.list = [ cfg.port ]; }; services.actual = { diff --git a/modules/system/services/alloy.nix b/modules/system/services/alloy.nix index 784a605..696c437 100644 --- a/modules/system/services/alloy.nix +++ b/modules/system/services/alloy.nix @@ -18,7 +18,7 @@ in config = lib.mkIf cfg.enable { meta = { domains.list = [ cfg.domain ]; - ports.list = [ cfg.port ]; + ports.tcp.list = [ cfg.port ]; }; services.alloy = { diff --git a/modules/system/services/caddy.nix b/modules/system/services/caddy.nix index ee87d4d..4ac48c1 100644 --- a/modules/system/services/caddy.nix +++ b/modules/system/services/caddy.nix @@ -81,7 +81,7 @@ in config = lib.mkIf (virtualHosts != { }) ( lib.mkMerge [ { - meta.ports.list = lib.mkIf nonTailscaleHostsExist ports; + meta.ports.tcp.list = lib.mkIf nonTailscaleHostsExist ports; networking.firewall.allowedTCPPorts = lib.mkIf nonTailscaleHostsExist ports; diff --git a/modules/system/services/crowdsec/default.nix b/modules/system/services/crowdsec/default.nix index 7a90f90..607edae 100644 --- a/modules/system/services/crowdsec/default.nix +++ b/modules/system/services/crowdsec/default.nix @@ -36,7 +36,7 @@ in }; config = lib.mkIf cfg.enable { - meta.ports.list = [ + meta.ports.tcp.list = [ cfg.apiPort cfg.prometheusPort ]; diff --git a/modules/system/services/forgejo/default.nix b/modules/system/services/forgejo/default.nix index 46a8918..bbe0ace 100644 --- a/modules/system/services/forgejo/default.nix +++ b/modules/system/services/forgejo/default.nix @@ -24,7 +24,7 @@ in config = lib.mkIf cfg.enable { meta = { domains.list = [ cfg.domain ]; - ports.list = [ cfg.port ]; + ports.tcp.list = [ cfg.port ]; }; sops.secrets."forgejo/admin-password".owner = config.users.users.forgejo.name; diff --git a/modules/system/services/forgejo/ssh.nix b/modules/system/services/forgejo/ssh.nix index d6b0590..59b139e 100644 --- a/modules/system/services/forgejo/ssh.nix +++ b/modules/system/services/forgejo/ssh.nix @@ -12,7 +12,7 @@ in }; config = lib.mkIf cfg.enable { - meta.ports.list = [ cfg.port ]; + meta.ports.tcp.list = [ cfg.port ]; services.forgejo.settings.server.SSH_PORT = cfg.port; diff --git a/modules/system/services/gatus.nix b/modules/system/services/gatus.nix index 080c31c..d843927 100644 --- a/modules/system/services/gatus.nix +++ b/modules/system/services/gatus.nix @@ -75,7 +75,7 @@ in config = lib.mkIf cfg.enable { meta = { domains.list = [ cfg.domain ]; - ports.list = [ cfg.port ]; + ports.tcp.list = [ cfg.port ]; }; sops = { diff --git a/modules/system/services/grafana.nix b/modules/system/services/grafana.nix index aa0358f..d2b3737 100644 --- a/modules/system/services/grafana.nix +++ b/modules/system/services/grafana.nix @@ -18,7 +18,7 @@ in config = lib.mkIf cfg.enable { meta = { domains.list = [ cfg.domain ]; - ports.list = [ cfg.port ]; + ports.tcp.list = [ cfg.port ]; }; sops.secrets."grafana/admin-password".owner = config.users.users.grafana.name; diff --git a/modules/system/services/hedgedoc.nix b/modules/system/services/hedgedoc.nix index 2ff2ea9..d40efb8 100644 --- a/modules/system/services/hedgedoc.nix +++ b/modules/system/services/hedgedoc.nix @@ -24,7 +24,7 @@ in config = lib.mkIf cfg.enable { meta = { domains.list = [ cfg.domain ]; - ports.list = [ cfg.port ]; + ports.tcp.list = [ cfg.port ]; }; sops = { diff --git a/modules/system/services/it-tools.nix b/modules/system/services/it-tools.nix index 41f2e66..1f27a9f 100644 --- a/modules/system/services/it-tools.nix +++ b/modules/system/services/it-tools.nix @@ -23,7 +23,7 @@ in config = lib.mkIf cfg.enable { meta = { domains.list = [ cfg.domain ]; - ports.list = [ cfg.port ]; + ports.tcp.list = [ cfg.port ]; }; services.static-web-server = { diff --git a/modules/system/services/nextcloud/default.nix b/modules/system/services/nextcloud/default.nix index 26b7cd1..15c78e1 100644 --- a/modules/system/services/nextcloud/default.nix +++ b/modules/system/services/nextcloud/default.nix @@ -27,7 +27,10 @@ in config = lib.mkIf cfg.enable { meta = { domains.list = [ cfg.domain ]; - ports.list = [ cfg.port ]; + ports = { + tcp.list = [ cfg.port ]; + udp.list = [ config.services.postgresql.settings.port ]; + }; }; sops.secrets."nextcloud/admin-password".owner = user; diff --git a/modules/system/services/ntfy.nix b/modules/system/services/ntfy.nix index 1d97e7c..832d693 100644 --- a/modules/system/services/ntfy.nix +++ b/modules/system/services/ntfy.nix @@ -18,7 +18,7 @@ in config = lib.mkIf cfg.enable { meta = { domains.list = [ cfg.domain ]; - ports.list = [ cfg.port ]; + ports.tcp.list = [ cfg.port ]; }; services.ntfy-sh = { diff --git a/modules/system/services/openspeedtest.nix b/modules/system/services/openspeedtest.nix index 26caee6..ebcc0fc 100644 --- a/modules/system/services/openspeedtest.nix +++ b/modules/system/services/openspeedtest.nix @@ -18,7 +18,7 @@ in config = lib.mkIf cfg.enable { meta = { domains.list = [ cfg.domain ]; - ports.list = [ cfg.port ]; + ports.tcp.list = [ cfg.port ]; }; virtualisation.oci-containers.containers.openspeedtest = { diff --git a/modules/system/services/radicale.nix b/modules/system/services/radicale.nix index d4e57d0..33dafff 100644 --- a/modules/system/services/radicale.nix +++ b/modules/system/services/radicale.nix @@ -18,7 +18,7 @@ in config = lib.mkIf cfg.enable { meta = { domains.list = [ cfg.domain ]; - ports.list = [ cfg.port ]; + ports.tcp.list = [ cfg.port ]; }; sops = { diff --git a/modules/system/services/resolved.nix b/modules/system/services/resolved.nix index 0aa0a17..a5624ce 100644 --- a/modules/system/services/resolved.nix +++ b/modules/system/services/resolved.nix @@ -3,11 +3,18 @@ options.custom.services.resolved.enable = lib.mkEnableOption ""; config = lib.mkIf config.custom.services.resolved.enable { - meta.ports.list = [ - 53 - 5353 - 5355 - ]; + meta.ports = + let + ports = [ + 53 + 5353 + 5355 + ]; + in + { + tcp.list = ports; + udp.list = ports; + }; services.resolved.enable = true; }; diff --git a/modules/system/services/syncthing.nix b/modules/system/services/syncthing.nix index cd5e98f..7778f15 100644 --- a/modules/system/services/syncthing.nix +++ b/modules/system/services/syncthing.nix @@ -49,10 +49,13 @@ in meta = { domains.list = lib.mkIf cfg.isServer [ cfg.gui.domain ]; - ports.list = [ - cfg.syncPort - cfg.gui.port - ]; + ports = { + tcp.list = [ + cfg.syncPort + cfg.gui.port + ]; + udp.list = [ cfg.syncPort ]; + }; }; sops.secrets = lib.mkIf useStaticTls { diff --git a/modules/system/services/tailscale.nix b/modules/system/services/tailscale.nix index c21c1ed..9d726af 100644 --- a/modules/system/services/tailscale.nix +++ b/modules/system/services/tailscale.nix @@ -14,7 +14,9 @@ in }; config = lib.mkIf cfg.enable { - meta.ports.list = [ config.services.tailscale.port ]; + meta.ports.udp.list = lib.mkIf config.services.tailscale.openFirewall [ + config.services.tailscale.port + ]; sops.secrets."tailscale/auth-key" = { }; diff --git a/modules/system/services/victorialogs.nix b/modules/system/services/victorialogs.nix index 98812d9..39bd587 100644 --- a/modules/system/services/victorialogs.nix +++ b/modules/system/services/victorialogs.nix @@ -27,7 +27,7 @@ in config = lib.mkIf cfg.enable { meta = { domains.list = [ cfg.domain ]; - ports.list = [ cfg.port ]; + ports.tcp.list = [ cfg.port ]; }; services.victorialogs = {