fixed a glaring vulnerability, thank god i caught this -e

2024-12-20 21:23:12 +02:00 · 2024-12-20 21:23:12 +02:00 · 80e93f98b3
commit 80e93f98b3
parent 806a34cf0e
2 changed files with 13 additions and 4 deletions
--- a/cluster/virtualisation.mod.nix
+++ b/cluster/virtualisation.mod.nix
@ -8,14 +8,18 @@
  ];
  sucrose.modules = [
    (
-      {pkgs, config, ...}: {
+      {
+        pkgs,
+        config,
+        ...
+      }: {
        environment.systemPackages = [pkgs.podman-compose];
        virtualisation = {
          containers.enable = true;
          podman = {
            enable = true;
            dockerCompat = false;
-            defaultNetwork.settings.dns_enabled = (config.networking.hostName == "glucose"); # TODO: fix this stupid shit ssometime -e
+            defaultNetwork.settings.dns_enabled = config.networking.hostName == "glucose"; # TODO: fix this stupid shit ssometime -e
          };
          oci-containers.backend = "podman";
        };
--- a/networking/firewall.mod.nix
+++ b/networking/firewall.mod.nix
@ -1,8 +1,13 @@
 {
  universal.modules = [
-    {
+    ({
      networking.firewall.enable = true;
      networking.nftables.enable = true;
+    })
+    ({lib, config, ...}: lib.mkIf (
+      config.networking.hostName != "aspartame" # open ports for data collection on everything EXCEPT aspartame, as that would be stupid, considering it is literally public facing. TODO: set up prometheus authentication, perhaps with a certificate. -e
+    ) 
+    {
      networking.firewall = {
        allowedTCPPorts = [
          6703
@ -11,7 +16,7 @@
          6703
        ];
      };
-    }
+    })
  ];

  fructose.modules = [