♿ make photoprism available via zerotier

⬆️ update flake.lock
🔒 fix firewall configuration because of hetzner mac address problem
2025-04-03 16:51:17 +02:00 · 2025-04-03 16:50:57 +02:00 · 2025-04-03 16:50:40 +02:00
4 changed files with 16 additions and 7 deletions
--- a/flake.lock
+++ b/flake.lock
@ -1150,11 +1150,11 @@
        "treefmt-nix": "treefmt-nix_4"
      },
      "locked": {
-        "lastModified": 1739081745,
-        "narHash": "sha256-FGaxXNmvDd6fL22fvbVS9eb+Lr+4UR+xZtkKkUoYuKI=",
+        "lastModified": 1743686840,
+        "narHash": "sha256-233lgDM2Jnmfq85LK4vwq+bVLHCvs76fHHEHD6W7/fs=",
        "ref": "main",
-        "rev": "0d764189384d5fa7d9850b4d2f35ed98a0598871",
-        "revCount": 89,
+        "rev": "b6239a1dcf31962426f28eab4b7f834a5025cea0",
+        "revCount": 90,
        "type": "git",
        "url": "ssh://forgejo@git.ingolf-wagner.de:2222/palo/nixos-private-parts.git"
      },
--- a/machines/orbi/configuration.nix
+++ b/machines/orbi/configuration.nix
@ -45,6 +45,9 @@
  ];

  networking.firewall.enable = true;
+  networking.firewall.extraCommands = ''
+    iptables -P FORWARD DROP
+  '';
  boot.kernel.sysctl."net.ipv4.ip_forwarding" = false;

  services.logrotate.checkConfig = false; # because uid 3000 does not exist in here
--- a/machines/orbi/network-wireguard.nix
+++ b/machines/orbi/network-wireguard.nix
@ -20,6 +20,11 @@ let
 in
 {
  networking.firewall.allowedUDPPorts = [ 51820 ];
+  networking.firewall.extraCommands = ''
+    iptables -A FORWARD -i wg0 -j ACCEPT
+  '';
+  boot.kernel.sysctl."net.ipv4.conf.wg0.forwarding" = true;
+
  clan.core.facts.services.wireguard = factsGenerator.wireguard { name = "wg0"; };
  clan.core.facts.services.wireguard_ip = factsGenerator.public {
    "wireguard.wg0.endpoint" = "95.216.66.212:51820";
@ -31,8 +36,6 @@ in
    ping -c 1 -W 5 ${config.clan.core.facts.services.wireguard_ip.public."wireguard.wg0.ip".value}
  '';

-  boot.kernel.sysctl."net.ipv4.conf.wg0.forwarding" = true;
-
  # Enable WireGuard
  networking.wg-quick.interfaces = {
    # Hub and Spoke Setup
--- a/machines/orbi/service-photoprism.nix
+++ b/machines/orbi/service-photoprism.nix
@ -4,6 +4,7 @@
  lib,
  components,
  inputs,
+  zerotierInterface,
  ...
 }:
 let
@ -14,17 +15,19 @@ in
 {

  networking.firewall.interfaces.wg0.allowedTCPPorts = [ photoprismPort ];
-  # networking.firewall.interfaces.wg0.allowedUDPPorts = [ photoprismPort ];

  healthchecks.closed.public.ports.photoprism = [
    photoprismPort
    mysqlPort
  ];
+
  healthchecks.http.photoprism = {
    url = "http://10.100.0.1:2342/library/login";
    expectedContent = "AI-Powered Photos App";
  };

+  networking.firewall.interfaces.${zerotierInterface}.allowedTCPPorts = [ photoprismPort ];
+
  containers.photoprism = {
    privateNetwork = false;
    autoStart = true;
Author	SHA1	Message	Date
Ingolf Wagner	bca574d19d	♿ make photoprism available via zerotier	2025-04-03 16:51:17 +02:00
Ingolf Wagner	30168d8aaa	⬆️ update flake.lock	2025-04-03 16:50:57 +02:00
Ingolf Wagner	0404bb5314	🔒 fix firewall configuration because of hetzner mac address problem	2025-04-03 16:50:40 +02:00