stuff

modules/garage/module.nix

@@ -96,6 +96,8 @@ in
       ];
       StateDirectory = lib.mkForce "";
       LimitNOFile = 1073741824;
+      SocketBindAllow = [ "tcp:${toString cfg.rpcPort}" ];
+      SocketBindDeny = "any";
     };
     networking.firewall.allowedTCPPorts = [ cfg.rpcPort ];
     systemd.tmpfiles.settings."10-whatever" = {

prophecy/caddy.nix

@@ -12,9 +12,18 @@ in
     (caddyDir cfg.logDir)
     (caddyDir cfg.dataDir)
   ];
-  networking.firewall.allowedTCPPorts = [ 84 443 ];
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  networking.firewall.allowedUDPPorts = [ 443 ];
   services.caddy = {
     enable = true;
     email = "acme-certs@shelvacu.com";
   };
+  systemd.services.caddy.serviceConfig = {
+    SocketBindAllow = [
+      "tcp:80"
+      "tcp:443"
+      "udp:443"
+    ];
+    SocketBindDeny = "any";
+  };
 }

prophecy/dav-experiment.nix

@@ -97,9 +97,6 @@ in
       ProtectControlGroups = "strict";
 
       RestrictAddressFamilies = [ "AF_UNIX" "AF_NETLINK" ];
-      # RestrictAddressFamilies = "AF_UNIX";
-      # RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
-      # RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
 
       RestrictNamespaces = true;
       LockPersonality = true;

prophecy/hath.nix

@@ -19,6 +19,10 @@ in
       clientKeyPath = config.sops.secrets.hathClientKey.path;
     };
   };
+  systemd.services.hath.serviceConfig = {
+    SocketBindAllow = "tcp:${toString port}";
+    SocketBindDeny = "any";
+  };
   environment.persistence."/persistent".directories = [
     {
       directory = "/var/lib/hath";