servo: only forward ports to OVPN which are actually marked for visiblity

2024-06-17 06:15:00 +00:00 · 2024-06-17 06:15:00 +00:00 · dd47a5083c
commit dd47a5083c
parent 14d5d9eb5a
1 changed files with 8 additions and 1 deletions
--- a/hosts/by-name/servo/net.nix
+++ b/hosts/by-name/servo/net.nix
@ -6,6 +6,9 @@ let
      visibleTo.ovpn = mkOption {
        type = types.bool;
        default = false;
+        description = ''
+          whether to forward inbound traffic on the OVPN vpn port to the corresponding localhost port.
+        '';
      };
    };
  };
@ -92,7 +95,11 @@ in
      bridgeStatements = lib.foldlAttrs
        (acc: port: portCfg: acc ++ (builtins.map (bridgePort port) portCfg.protocol))
        []
-        config.sane.ports.ports;
+        (lib.filterAttrs
+          (port: portCfg: portCfg.visibleTo.ovpn)
+          config.sane.ports.ports
+        )
+      ;
    in {
      privateKeyFile = config.sops.secrets.wg_ovpns_privkey.path;
      # wg is active only in this namespace.