mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-10 23:00:39 +02:00
Code Activity

refactor: adjust wireguard accessors to use globals

Browse source
This commit is contained in:
oddlama 2025-09-13 21:14:50 +02:00
parent 157c303f38
commit b885d1062b
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
28 changed files with 169 additions and 133 deletions
Download patch file Download diff file Expand all files Collapse all files

7
flake/hosts.nix
View file

@ -84,12 +84,5 @@
nodes = config.nixosConfigurations // config.guestConfigs;
# Add a shorthand to easily target toplevel derivations
"@" = mapAttrs (_: v: v.config.system.build.toplevel) config.nodes;
# Pre-evaluate the wireguard network information to avoid recalculating it
# for every host and every location it is used.
wireguardEvalCache = config.pkgs.x86_64-linux.lib.wireguard.createEvalCache inputs [
"proxy-sentinel"
"proxy-home"
];
};
}

3
globals.nix
View file

@ -21,6 +21,9 @@ in
];
globals = {
wireguard = {
};
net = {
home-wan = {
cidrv4 = "192.168.178.0/24";

3
hosts/envoy/default.nix
View file

@ -1,6 +1,5 @@
{
globals,
nodes,
...
}:
{
@ -29,7 +28,7 @@
};
# Connect safely via wireguard to skip authentication
networking.hosts.${nodes.sentinel.config.wireguard.proxy-sentinel.ipv4} = [
networking.hosts.${globals.wireguard.proxy-sentinel.hosts.sentinel.ipv4} = [
globals.services.influxdb.domain
];
meta.telegraf = {

2
hosts/kroma/default.nix
View file

@ -76,7 +76,7 @@
#};
## Connect safely via wireguard to skip authentication
#networking.hosts.${nodes.sentinel.config.wireguard.proxy-sentinel.ipv4} = [globals.services.influxdb.domain];
#networking.hosts.${globals.wireguard.proxy-sentinel.hosts.sentinel.ipv4} = [globals.services.influxdb.domain];
#meta.telegraf = {
# enable = true;
# influxdb2 = {

3
hosts/sausebiene/default.nix
View file

@ -1,7 +1,6 @@
{
globals,
inputs,
nodes,
pkgs,
lib,
...
@ -63,7 +62,7 @@
};
# Connect safely via wireguard to skip authentication
networking.hosts.${nodes.ward-web-proxy.config.wireguard.proxy-home.ipv4} = [
networking.hosts.${globals.wireguard.proxy-home.hosts.ward-web-proxy.ipv4} = [
globals.services.influxdb.domain
];
meta.telegraf = {

5
hosts/sausebiene/esphome.nix
View file

@ -35,7 +35,10 @@ in
nodes.ward-web-proxy = {
services.nginx = {
upstreams."esphome" = {
servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.esphome.port}" = { };
servers."${
globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4
}:${toString config.services.esphome.port}" =
{ };
extraConfig = ''
zone esphome 64k;
keepalive 2;

9
hosts/sausebiene/home-assistant.nix
View file

@ -2,7 +2,6 @@
config,
globals,
lib,
nodes,
pkgs,
...
}:
@ -89,7 +88,7 @@ in
server_host = [ "0.0.0.0" ];
server_port = 8123;
use_x_forwarded_for = true;
trusted_proxies = [ nodes.ward-web-proxy.config.wireguard.proxy-home.ipv4 ];
trusted_proxies = [ globals.wireguard.proxy-home.hosts.nodes.ward-web-proxy.ipv4 ];
};
zha.zigpy_config.source_routing = true;
@ -210,14 +209,16 @@ in
fritzboxDomain
];
networking.hosts.${nodes.ward-adguardhome.config.wireguard.proxy-home.ipv4} = [
networking.hosts.${globals.wireguard.proxy-home.hosts.ward-adguardhome.ipv4} = [
"adguardhome.internal"
];
nodes.ward-web-proxy = {
services.nginx = {
upstreams."home-assistant" = {
servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.home-assistant.config.http.server_port}" =
servers."${
globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4
}:${toString config.services.home-assistant.config.http.server_port}" =
{ };
extraConfig = ''
zone home-assistant 64k;

4
hosts/sentinel/default.nix
View file

@ -40,7 +40,9 @@
};
# Connect safely via wireguard to skip authentication
networking.hosts.${config.wireguard.proxy-sentinel.ipv4} = [ globals.services.influxdb.domain ];
networking.hosts.${globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4} = [
globals.services.influxdb.domain
];
meta.telegraf = {
enable = true;
scrapeSensors = false;

8
hosts/sentinel/net.nix
View file

@ -53,13 +53,11 @@ in
rules = [ "ct status dnat accept" ];
};
wireguard.proxy-sentinel.server = {
globals.wireguard.proxy-sentinel = {
host = config.networking.fqdn;
port = 51443;
reservedAddresses = [
"10.43.0.0/24"
"fd00:43::/120"
];
cidrv4 = "10.43.0.0/24";
cidrv6 = "fd00:43::/120";
openFirewall = true;
};
}

2
hosts/sire/default.nix
View file

@ -42,7 +42,7 @@
};
# Connect safely via wireguard to skip authentication
networking.hosts.${nodes.sentinel.config.wireguard.proxy-sentinel.ipv4} = [
networking.hosts.${globals.wireguard.proxy-sentinel.hosts.sentinel.ipv4} = [
globals.services.influxdb.domain
];
meta.telegraf = {

5
hosts/sire/guests/ai.nix
View file

@ -66,7 +66,10 @@ in
nodes.sentinel = {
services.nginx = {
upstreams.open-webui = {
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.open-webui.port}" = { };
servers."${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
}:${toString config.services.open-webui.port}" =
{ };
extraConfig = ''
zone open-webui 64k;
keepalive 2;

14
hosts/sire/guests/common.nix
View file

@ -2,13 +2,8 @@
config,
globals,
lib,
nodes,
...
}:
let
sentinelCfg = nodes.sentinel.config;
wardWebProxyCfg = nodes.ward-web-proxy.config;
in
{
meta.promtail = {
enable = true;
@ -17,11 +12,12 @@ in
# Connect safely via wireguard to skip http authentication
networking.hosts.${
if config.wireguard ? proxy-home then
wardWebProxyCfg.wireguard.proxy-home.ipv4
if globals.wireguard ? proxy-home then
globals.wireguard.proxy-home.hosts.ward-web-proxy.ipv4
else
sentinelCfg.wireguard.proxy-sentinel.ipv4
} = [ globals.services.influxdb.domain ];
globals.wireguard.proxy-sentinel.hosts.sentinel.ipv4
} =
[ globals.services.influxdb.domain ];
meta.telegraf = lib.mkIf (!config.boot.isContainer) {
enable = true;

14
hosts/sire/guests/ente.nix
View file

@ -43,8 +43,7 @@ let
};
};
virtualHosts =
{
virtualHosts = {
${enteApiDomain} = {
forceSSL = true;
useACMEWildcardHost = true;
@ -66,7 +65,8 @@ let
'';
};
}
// lib.genAttrs
//
lib.genAttrs
[
enteAccountsDomain
enteAlbumsDomain
@ -244,8 +244,12 @@ in
};
# NOTE: services.ente.web is configured separately on both proxy servers!
nodes.sentinel.services.nginx = proxyConfig config.wireguard.proxy-sentinel.ipv4 "";
nodes.ward-web-proxy.services.nginx = proxyConfig config.wireguard.proxy-home.ipv4 ''
nodes.sentinel.services.nginx =
proxyConfig globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
"";
nodes.ward-web-proxy.services.nginx =
proxyConfig globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4
''
allow ${globals.net.home-lan.vlans.home.cidrv4};
allow ${globals.net.home-lan.vlans.home.cidrv6};
# Firezone traffic

11
hosts/sire/guests/grafana.nix
View file

@ -6,7 +6,6 @@
...
}:
let
wardWebProxyCfg = nodes.ward-web-proxy.config;
grafanaDomain = "grafana.${globals.domains.me}";
in
{
@ -88,7 +87,9 @@ in
services.nginx = {
upstreams.grafana = {
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.grafana.settings.server.http_port}" =
servers."${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
}:${toString config.services.grafana.settings.server.http_port}" =
{ };
extraConfig = ''
zone grafana 64k;
@ -113,7 +114,9 @@ in
nodes.ward-web-proxy = {
services.nginx = {
upstreams.grafana = {
servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.grafana.settings.server.http_port}" =
servers."${
globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4
}:${toString config.services.grafana.settings.server.http_port}" =
{ };
extraConfig = ''
zone grafana 64k;
@ -152,7 +155,7 @@ in
}
];
networking.hosts.${wardWebProxyCfg.wireguard.proxy-home.ipv4} = [
networking.hosts.${globals.wireguard.proxy-home.hosts.ward-web-proxy.ipv4} = [
globals.services.influxdb.domain # technically a duplicate (see ./common.nix)...
globals.services.loki.domain
];

4
hosts/sire/guests/immich.nix
View file

@ -218,7 +218,7 @@ in
nodes.sentinel = {
services.nginx = {
upstreams.immich = {
servers."${config.wireguard.proxy-sentinel.ipv4}:2283" = { };
servers."${globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4}:2283" = { };
extraConfig = ''
zone immich 64k;
keepalive 2;
@ -250,7 +250,7 @@ in
nodes.ward-web-proxy = {
services.nginx = {
upstreams.immich = {
servers."${config.wireguard.proxy-home.ipv4}:2283" = { };
servers."${globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4}:2283" = { };
extraConfig = ''
zone immich 64k;
keepalive 2;

19
hosts/sire/guests/influxdb.nix
View file

@ -2,13 +2,10 @@
config,
globals,
lib,
nodes,
pkgs,
...
}:
let
sentinelCfg = nodes.sentinel.config;
wardCfg = nodes.ward.config;
influxdbDomain = "influxdb.${globals.domains.me}";
influxdbPort = 8086;
in
@ -55,7 +52,10 @@ in
nodes.sentinel = {
services.nginx = {
upstreams.influxdb = {
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString influxdbPort}" = { };
servers."${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
}:${toString influxdbPort}" =
{ };
extraConfig = ''
zone influxdb 64k;
keepalive 2;
@ -68,9 +68,8 @@ in
virtualHosts.${influxdbDomain} =
let
accessRules = ''
${lib.concatMapStrings (
cidr: "allow ${cidr};\n"
) sentinelCfg.wireguard.proxy-sentinel.server.reservedAddresses}
allow ${globals.wireguard.proxy-sentinel.cidrv4};
allow ${globals.wireguard.proxy-sentinel.cidrv6};
deny all;
'';
in
@ -97,7 +96,8 @@ in
nodes.ward-web-proxy = {
services.nginx = {
upstreams.influxdb = {
servers."${config.wireguard.proxy-home.ipv4}:${toString influxdbPort}" = { };
servers."${globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4}:${toString influxdbPort}" =
{ };
extraConfig = ''
zone influxdb 64k;
keepalive 2;
@ -110,7 +110,8 @@ in
virtualHosts.${influxdbDomain} =
let
accessRules = ''
${lib.concatMapStrings (ip: "allow ${ip};\n") wardCfg.wireguard.proxy-home.server.reservedAddresses}
allow ${globals.wireguard.proxy-home.cidrv4};
allow ${globals.wireguard.proxy-home.cidrv6};
deny all;
'';
in

8
hosts/sire/guests/loki.nix
View file

@ -35,7 +35,9 @@ in
services.nginx = {
upstreams.loki = {
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.loki.configuration.server.http_listen_port}" =
servers."${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
}:${toString config.services.loki.configuration.server.http_listen_port}" =
{ };
extraConfig = ''
zone loki 64k;
@ -83,7 +85,9 @@ in
services.nginx = {
upstreams.loki = {
servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.loki.configuration.server.http_listen_port}" =
servers."${
globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4
}:${toString config.services.loki.configuration.server.http_listen_port}" =
{ };
extraConfig = ''
zone loki 64k;

34
hosts/sire/guests/minecraft.nix
View file

@ -396,26 +396,42 @@ in
postrouting.to-minecraft = {
after = [ "hook" ];
rules = [
"iifname wan ip daddr ${config.wireguard.proxy-sentinel.ipv4} tcp dport 25565 masquerade random"
"iifname wan ip6 daddr ${config.wireguard.proxy-sentinel.ipv6} tcp dport 25565 masquerade random"
"iifname wan ip daddr ${config.wireguard.proxy-sentinel.ipv4} tcp dport 25566 masquerade random"
"iifname wan ip6 daddr ${config.wireguard.proxy-sentinel.ipv6} tcp dport 25566 masquerade random"
"iifname wan ip daddr ${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
} tcp dport 25565 masquerade random"
"iifname wan ip6 daddr ${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv6
} tcp dport 25565 masquerade random"
"iifname wan ip daddr ${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
} tcp dport 25566 masquerade random"
"iifname wan ip6 daddr ${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv6
} tcp dport 25566 masquerade random"
];
};
prerouting.to-minecraft = {
after = [ "hook" ];
rules = [
"iifname wan tcp dport 25565 dnat ip to ${config.wireguard.proxy-sentinel.ipv4}"
"iifname wan tcp dport 25565 dnat ip6 to ${config.wireguard.proxy-sentinel.ipv6}"
"iifname wan tcp dport 25566 dnat ip to ${config.wireguard.proxy-sentinel.ipv4}"
"iifname wan tcp dport 25566 dnat ip6 to ${config.wireguard.proxy-sentinel.ipv6}"
"iifname wan tcp dport 25565 dnat ip to ${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
}"
"iifname wan tcp dport 25565 dnat ip6 to ${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv6
}"
"iifname wan tcp dport 25566 dnat ip to ${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
}"
"iifname wan tcp dport 25566 dnat ip6 to ${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv6
}"
];
};
};
services.nginx = {
upstreams.minecraft = {
servers."${config.wireguard.proxy-sentinel.ipv4}:80" = { };
servers."${globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4}:80" = { };
extraConfig = ''
zone minecraft 64k;
keepalive 2;

16
hosts/sire/guests/paperless.nix
View file

@ -7,8 +7,6 @@
...
}:
let
sentinelCfg = nodes.sentinel.config;
wardWebProxyCfg = nodes.ward-web-proxy.config;
paperlessDomain = "paperless.${globals.domains.me}";
paperlessBackupDir = "/var/cache/paperless-backup";
in
@ -37,7 +35,10 @@ in
nodes.sentinel = {
services.nginx = {
upstreams.paperless = {
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.paperless.port}" = { };
servers."${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
}:${toString config.services.paperless.port}" =
{ };
extraConfig = ''
zone paperless 64k;
keepalive 2;
@ -65,7 +66,10 @@ in
nodes.ward-web-proxy = {
services.nginx = {
upstreams.paperless = {
servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.paperless.port}" = { };
servers."${
globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4
}:${toString config.services.paperless.port}" =
{ };
extraConfig = ''
zone paperless 64k;
keepalive 2;
@ -129,8 +133,8 @@ in
PAPERLESS_ALLOWED_HOSTS = paperlessDomain;
PAPERLESS_CORS_ALLOWED_HOSTS = "https://${paperlessDomain}";
PAPERLESS_TRUSTED_PROXIES = lib.concatStringsSep "," [
sentinelCfg.wireguard.proxy-sentinel.ipv4
wardWebProxyCfg.wireguard.proxy-home.ipv4
globals.wireguard.proxy-home.hosts.ward-web-proxy.ipv4
globals.wireguard.proxy-sentinel.hosts.sentinel.ipv4
];
# Authentication via kanidm

2
hosts/ward/default.nix
View file

@ -67,7 +67,7 @@ in
};
# Connect safely via wireguard to skip authentication
networking.hosts.${nodes.ward-web-proxy.config.wireguard.proxy-home.ipv4} = [
networking.hosts.${globals.wireguard.proxy-home.hosts.ward-web-proxy.ipv4} = [
globals.services.influxdb.domain
];
meta.telegraf = {

4
hosts/ward/guests/adguardhome.nix
View file

@ -29,7 +29,9 @@ in
nodes.sentinel = {
services.nginx = {
upstreams.adguardhome = {
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.adguardhome.port}" =
servers."${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
}:${toString config.services.adguardhome.port}" =
{ };
extraConfig = ''
zone adguardhome 64k;

14
hosts/ward/guests/common.nix
View file

@ -2,13 +2,8 @@
config,
globals,
lib,
nodes,
...
}:
let
sentinelCfg = nodes.sentinel.config;
wardWebProxyCfg = nodes.ward-web-proxy.config;
in
{
meta.promtail = {
enable = true;
@ -17,11 +12,12 @@ in
# Connect safely via wireguard to skip http authentication
networking.hosts.${
if config.wireguard ? proxy-home then
wardWebProxyCfg.wireguard.proxy-home.ipv4
if globals.wireguard ? proxy-home then
globals.wireguard.proxy-home.hosts.ward-web-proxy.ipv4
else
sentinelCfg.wireguard.proxy-sentinel.ipv4
} = [ globals.services.influxdb.domain ];
globals.wireguard.proxy-sentinel.hosts.sentinel.ipv4
} =
[ globals.services.influxdb.domain ];
meta.telegraf = lib.mkIf (!config.boot.isContainer) {
enable = true;

20
hosts/ward/guests/forgejo.nix
View file

@ -42,22 +42,32 @@ in
postrouting.to-forgejo = {
after = [ "hook" ];
rules = [
"iifname wan ip daddr ${config.wireguard.proxy-sentinel.ipv4} tcp dport 22 masquerade random"
"iifname wan ip6 daddr ${config.wireguard.proxy-sentinel.ipv6} tcp dport 22 masquerade random"
"iifname wan ip daddr ${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
} tcp dport 22 masquerade random"
"iifname wan ip6 daddr ${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv6
} tcp dport 22 masquerade random"
];
};
prerouting.to-forgejo = {
after = [ "hook" ];
rules = [
"iifname wan tcp dport 9922 dnat ip to ${config.wireguard.proxy-sentinel.ipv4}:22"
"iifname wan tcp dport 9922 dnat ip6 to ${config.wireguard.proxy-sentinel.ipv6}:22"
"iifname wan tcp dport 9922 dnat ip to ${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
}:22"
"iifname wan tcp dport 9922 dnat ip6 to ${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv6
}:22"
];
};
};
services.nginx = {
upstreams.forgejo = {
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.forgejo.settings.server.HTTP_PORT}" =
servers."${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
}:${toString config.services.forgejo.settings.server.HTTP_PORT}" =
{ };
extraConfig = ''
zone forgejo 64k;

5
hosts/ward/guests/kanidm.nix
View file

@ -54,7 +54,10 @@ in
nodes.sentinel = {
services.nginx = {
upstreams.kanidm = {
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString kanidmPort}" = { };
servers."${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
}:${toString kanidmPort}" =
{ };
extraConfig = ''
zone kanidm 64k;
keepalive 2;

7
hosts/ward/guests/mealie.nix
View file

@ -69,14 +69,17 @@ in
OIDC_USER_GROUP = "mealie.access@${globals.services.kanidm.domain}";
OIDC_ADMIN_GROUP = "mealie.admins@${globals.services.kanidm.domain}";
};
trustedProxies = [ nodes.ward-web-proxy.config.wireguard.proxy-home.ipv4 ];
trustedProxies = [ globals.wireguard.proxy-home.hosts.ward-web-proxy.ipv4 ];
credentialsFile = config.age.secrets.oauth2-client-secret.path;
};
nodes.ward-web-proxy = {
services.nginx = {
upstreams.mealie = {
servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.mealie.port}" = { };
servers."${
globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4
}:${toString config.services.mealie.port}" =
{ };
extraConfig = ''
zone mealie 64k;
keepalive 2;

2
hosts/ward/guests/radicale.nix
View file

@ -22,7 +22,7 @@ in
nodes.sentinel = {
services.nginx = {
upstreams.radicale = {
servers."${config.wireguard.proxy-sentinel.ipv4}:8000" = { };
servers."${globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4}:8000" = { };
extraConfig = ''
zone radicale 64k;
keepalive 2;

4
hosts/ward/guests/vaultwarden.nix
View file

@ -38,7 +38,9 @@ in
nodes.sentinel = {
services.nginx = {
upstreams.vaultwarden = {
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.vaultwarden.config.rocketPort}" =
servers."${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
}:${toString config.services.vaultwarden.config.rocketPort}" =
{ };
extraConfig = ''
zone vaultwarden 64k;

17
hosts/ward/net.nix
View file

@ -261,7 +261,7 @@
services-to-local = {
from = [ "vlan-services" ];
to = [ "local" ];
allowedUDPPorts = [ config.wireguard.proxy-home.server.port ];
allowedUDPPorts = [ globals.wireguard.proxy-home.port ];
};
# Forward traffic between wireguard participants
@ -331,20 +331,11 @@
};
};
#wireguard.home.server = {
# host = todo # config.networking.fqdn;
# port = 51192;
# reservedAddresses = ["10.10.0.1/24" "fd00:10::/120"];
# openFirewall = true;
#};
wireguard.proxy-home.server = {
globals.wireguard.proxy-home.server = {
host = globals.net.home-lan.vlans.services.hosts.ward.ipv4;
port = 51444;
reservedAddresses = [
globals.net.proxy-home.cidrv4
globals.net.proxy-home.cidrv6
];
inherit (globals.net.proxy-home) cidrv4;
inherit (globals.net.proxy-home) cidrv6;
openFirewall = false; # Explicitly opened only for lan
};
}