petersweb-infra/nixos/firewall.nix
Philip Peterson c51352e6fe fix riverside DNS, VNC stale lock, and pids limit
- firewall.nix: allow DNS (UDP/TCP 53) from all podman bridge networks
  (10.89.0.0/16); NixOS only auto-adds a rule for podman0 but docker-compose
  arion stacks land on podman1/2/3 where container DNS was silently blocked
- vnc-desktop/start.sh: rm stale /tmp/.X1-lock on container start so
  container restarts don't leave Xvnc unable to bind display :1
- linux.nix: TasksMax=infinity on arion-vnc-desktop so the systemd cgroup
  doesn't cap KDE Plasma's thread count below the container pids limit
- arion-riverside/arion-compose.nix: add ADMIN_PASS env var required by
  the riverside entrypoint

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-25 19:36:36 -08:00

24 lines
628 B
Nix

{pkgs, ...}: {
networking.firewall.allowedTCPPorts = [
80 #nginx/http
22 #ssh
222 #ubuntu vm ssh
443 #ssl
2200 #forgejo ssh
3000 #forgejo http
8082 #webdav
8087 #nextcloud
9090 #sync.io
];
# Allow DNS from all podman bridge networks (10.89.0.0/16).
# NixOS auto-adds a rule for podman0 but not for networks created by
# docker-compose/arion (podman1, podman2, podman3…).
networking.firewall.extraCommands = ''
iptables -I nixos-fw -s 10.89.0.0/16 -p udp --dport 53 -j nixos-fw-accept
iptables -I nixos-fw -s 10.89.0.0/16 -p tcp --dport 53 -j nixos-fw-accept
'';
}