sf

2026-03-16 16:41:46 -05:00
parent 742e1703d8
commit 7538f734f1
19 changed files with 259 additions and 851 deletions
--- a/systems/x86_64-linux/jallen-nas/default.nix
+++ b/systems/x86_64-linux/jallen-nas/default.nix
@@ -36,6 +36,8 @@ in
    # #                   Desktop                     # #
    # ###################################################

+    # COSMIC is enabled for occasional local display access.
+    # headless.enable only disables watchdog/emergency mode, not the display server.
    desktop.cosmic = enabled;

    # ###################################################
@@ -69,7 +71,7 @@ in
      };
    };

-    headless.enable = true;
+    headless.enable = false;

    # ###################################################
    # #                 Impermanence                  # #
@@ -96,12 +98,7 @@ in
          group = "nextcloud";
          mode = "u=rwx,g=rwx,o=rx";
        }
-        {
-          directory = "/plugins-storage";
-          user = "traefik";
-          group = "traefik";
-          mode = "u=rwx,g=rwx,o=rx";
-        }
+
      ];
    };

@@ -135,22 +132,22 @@ in
        allowPing = true;
        trustedInterfaces = [ "tailscale0" ];
        allowedTCPPorts = [
-          80
-          443
-          8080
+          80 # http
+          443 # https
+          8080 # traefik dashboard
          8008 # restic
          9000 # authentik
          2342 # grafana
          51820 # wireguard
-          1025
-          1143
-          10200
+          1025 # smtp (protonmail bridge)
+          1143 # imap (protonmail bridge)
+          10200 # nebula
          10300
-          8127
+          8127 # llama.cpp server
          8280
          9943 # onlyoffice
-          4000 # netbootxyz
-          4080 # netbootxyz
+          4000 # netbootxyz tftp/http
+          4080 # netbootxyz web
          3000 # gitea
          2222 # gitea ssh
          3300
@@ -161,27 +158,31 @@ in
          9012
          9988
          8192
-          3000
-          2222
-          8181
-          5432
+          8181 # crowdsec
          3001
          3333
          5201 # iperf
          8400
-          9200
+          9200 # elasticsearch / attic
          9233
          9980
-          47984
-          47989
-          47990
-          47998
-          47999
-          48000
-          48010
-          3493 # nut
+          47984 # sunshine (tcp: control)
+          47989 # sunshine (tcp: https)
+          47990 # sunshine (tcp: web)
+          47998 # sunshine (tcp: video)
+          47999 # sunshine (tcp: control)
+          48000 # sunshine (tcp: video)
+          48010 # sunshine (tcp: rtsp)
+          3493 # nut upsd
+          # removed: 5432 (postgres — internal only, not for external UDP/TCP)
+        ];
+        allowedUDPPorts = [
+          51820 # wireguard
+          5201 # iperf
+          47998 # sunshine (udp: video)
+          47999 # sunshine (udp: control)
+          48000 # sunshine (udp: video)
        ];
-        allowedUDPPorts = config.${namespace}.network.firewall.allowedTCPPorts;
      };
    };

@@ -264,7 +265,6 @@ in
        "nix-apps"
        "jallen-nas"
        "grafana"
-        "traefik"
        "62900"
        "1001"
      ];