servo: only forward ports to OVPN which are actually marked for visiblity
This commit is contained in:
parent
14d5d9eb5a
commit
dd47a5083c
|
@ -6,6 +6,9 @@ let
|
||||||
visibleTo.ovpn = mkOption {
|
visibleTo.ovpn = mkOption {
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
default = false;
|
default = false;
|
||||||
|
description = ''
|
||||||
|
whether to forward inbound traffic on the OVPN vpn port to the corresponding localhost port.
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -92,7 +95,11 @@ in
|
||||||
bridgeStatements = lib.foldlAttrs
|
bridgeStatements = lib.foldlAttrs
|
||||||
(acc: port: portCfg: acc ++ (builtins.map (bridgePort port) portCfg.protocol))
|
(acc: port: portCfg: acc ++ (builtins.map (bridgePort port) portCfg.protocol))
|
||||||
[]
|
[]
|
||||||
config.sane.ports.ports;
|
(lib.filterAttrs
|
||||||
|
(port: portCfg: portCfg.visibleTo.ovpn)
|
||||||
|
config.sane.ports.ports
|
||||||
|
)
|
||||||
|
;
|
||||||
in {
|
in {
|
||||||
privateKeyFile = config.sops.secrets.wg_ovpns_privkey.path;
|
privateKeyFile = config.sops.secrets.wg_ovpns_privkey.path;
|
||||||
# wg is active only in this namespace.
|
# wg is active only in this namespace.
|
||||||
|
|
Loading…
Reference in New Issue
Block a user