Lockdown intranet services behind tailscale

common/server/dashy.nix

@@ -37,17 +37,5 @@ in
         ];
       };
     };
-
-    services.nginx.enable = true;
-    services.nginx.virtualHosts."s0.koi-bebop.ts.net" = {
-      default = true;
-      addSSL = true;
-      serverAliases = [ "s0" ];
-      sslCertificate = "/secret/ssl/s0.koi-bebop.ts.net.crt";
-      sslCertificateKey = "/secret/ssl/s0.koi-bebop.ts.net.key";
-      locations."/" = {
-        proxyPass = "http://localhost:${toString cfg.port}";
-      };
-    };
   };
 }

common/server/default.nix

@@ -22,5 +22,6 @@
     ./dashy.nix
     ./librechat.nix
     ./actualbudget.nix
+    ./unifi.nix
   ];
 }

common/server/nginx.nix

@@ -4,6 +4,10 @@ let
   cfg = config.services.nginx;
 in
 {
+  options.services.nginx = {
+    openFirewall = lib.mkEnableOption "Open firewall ports 80 and 443";
+  };
+
   config = lib.mkIf cfg.enable {
     services.nginx = {
       recommendedGzipSettings = true;
@@ -12,6 +16,8 @@ in
       recommendedTlsSettings = true;
     };
 
-    networking.firewall.allowedTCPPorts = [ 80 443 ];
+    services.nginx.openFirewall = lib.mkDefault true;
+
+    networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [ 80 443 ];
   };
 }

common/server/unifi.nix

@@ -0,0 +1,25 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.services.unifi;
+in
+{
+  options.services.unifi = {
+    # Open select Unifi ports instead of using openFirewall to avoid opening access to unifi's control panel
+    openMinimalFirewall = lib.mkEnableOption "Open bare minimum firewall ports";
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.unifi.unifiPackage = pkgs.unifi8;
+
+    networking.firewall = lib.mkIf cfg.openMinimalFirewall {
+      allowedUDPPorts = [
+        3478 # STUN
+        10001 # used for device discovery.
+      ];
+      allowedTCPPorts = [
+        8080 # Used for device and application communication.
+      ];
+    };
+  };
+}