From 1b1a19e377d84534e3e3262d8d556eede34474a0 Mon Sep 17 00:00:00 2001
From: oddlama <oddlama@oddlama.org>
Date: Mon, 20 May 2024 13:20:54 +0200
Subject: [PATCH] fix: missing opened firewall port for proxy-home

---
 hosts/sire/guests/paperless.nix | 2 +-
 hosts/ward/guests/common.nix    | 8 +++++++-
 hosts/ward/guests/web-proxy.nix | 5 ++++-
 modules/promtail.nix            | 1 +
 4 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/hosts/sire/guests/paperless.nix b/hosts/sire/guests/paperless.nix
index 3265062..125d270 100644
--- a/hosts/sire/guests/paperless.nix
+++ b/hosts/sire/guests/paperless.nix
@@ -107,7 +107,7 @@ in {
       PAPERLESS_URL = "https://${paperlessDomain}";
       PAPERLESS_ALLOWED_HOSTS = paperlessDomain;
       PAPERLESS_CORS_ALLOWED_HOSTS = "https://${paperlessDomain}";
-      PAPERLESS_TRUSTED_PROXIES = lib.concatStringSep "," [
+      PAPERLESS_TRUSTED_PROXIES = lib.concatStringsSep "," [
         sentinelCfg.wireguard.proxy-sentinel.ipv4
         wardWebProxyCfg.wireguard.proxy-home.ipv4
       ];
diff --git a/hosts/ward/guests/common.nix b/hosts/ward/guests/common.nix
index c301f6b..81bc212 100644
--- a/hosts/ward/guests/common.nix
+++ b/hosts/ward/guests/common.nix
@@ -5,6 +5,7 @@
   ...
 }: let
   sentinelCfg = nodes.sentinel.config;
+  wardWebProxyCfg = nodes.ward-web-proxy.config;
 in {
   meta.promtail = {
     enable = true;
@@ -12,7 +13,12 @@ in {
   };
 
   # Connect safely via wireguard to skip http authentication
-  networking.hosts.${sentinelCfg.wireguard.proxy-sentinel.ipv4} = [sentinelCfg.networking.providedDomains.influxdb];
+  networking.hosts.${
+    if config.wireguard ? proxy-home
+    then wardWebProxyCfg.wireguard.proxy-home.ipv4
+    else sentinelCfg.wireguard.proxy-sentinel.ipv4
+  } = [sentinelCfg.networking.providedDomains.influxdb];
+
   meta.telegraf = lib.mkIf (!config.boot.isContainer) {
     enable = true;
     scrapeSensors = false;
diff --git a/hosts/ward/guests/web-proxy.nix b/hosts/ward/guests/web-proxy.nix
index 1677f37..c54033b 100644
--- a/hosts/ward/guests/web-proxy.nix
+++ b/hosts/ward/guests/web-proxy.nix
@@ -1,7 +1,10 @@
 {config, ...}: let
   inherit (config.repo.secrets.local) acme;
 in {
-  wireguard.proxy-home.client.via = "ward";
+  wireguard.proxy-home = {
+    client.via = "ward";
+    firewallRuleForAll.allowedTCPPorts = [80 443];
+  };
 
   age.secrets.acme-cloudflare-dns-token = {
     rekeyFile = config.node.secretsDir + "/acme-cloudflare-dns-token.age";
diff --git a/modules/promtail.nix b/modules/promtail.nix
index 7d7373c..44a48eb 100644
--- a/modules/promtail.nix
+++ b/modules/promtail.nix
@@ -17,6 +17,7 @@
 in {
   options.meta.promtail = {
     enable = mkEnableOption "promtail to push logs to a loki instance.";
+    # TODO: FIXME: this should not be named proxy. get domain from globals and name this secretAggregatorNode or smth.
     proxy = mkOption {
       type = types.str;
       description = "The node name of the proxy server which provides the https loki api endpoint.";