From dd47a5083c40a73bab27f5dfbdb83f1f7b38bf67 Mon Sep 17 00:00:00 2001
From: Colin <colin@uninsane.org>
Date: Mon, 17 Jun 2024 06:15:00 +0000
Subject: [PATCH] servo: only forward ports to OVPN which are actually marked
 for visiblity

---
 hosts/by-name/servo/net.nix | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/hosts/by-name/servo/net.nix b/hosts/by-name/servo/net.nix
index f11c2703..f018b79f 100644
--- a/hosts/by-name/servo/net.nix
+++ b/hosts/by-name/servo/net.nix
@@ -6,6 +6,9 @@ let
       visibleTo.ovpn = mkOption {
         type = types.bool;
         default = false;
+        description = ''
+          whether to forward inbound traffic on the OVPN vpn port to the corresponding localhost port.
+        '';
       };
     };
   };
@@ -92,7 +95,11 @@ in
       bridgeStatements = lib.foldlAttrs
         (acc: port: portCfg: acc ++ (builtins.map (bridgePort port) portCfg.protocol))
         []
-        config.sane.ports.ports;
+        (lib.filterAttrs
+          (port: portCfg: portCfg.visibleTo.ovpn)
+          config.sane.ports.ports
+        )
+      ;
     in {
       privateKeyFile = config.sops.secrets.wg_ovpns_privkey.path;
       # wg is active only in this namespace.