From fd9770426467a2086b7ce776e018f3fe0e8c8a22 Mon Sep 17 00:00:00 2001
From: Dmitry Voronin <hi@voronind.com>
Date: Sun, 5 Jan 2025 10:04:19 +0300
Subject: [PATCH] Nginx: Fix ipv6 listen addresses.

---
 home/file/ssh/config                      | 20 ++++++++++----------
 host/x86_64-linux/dasha/Network.nix       |  1 -
 host/x86_64-linux/desktop/Network.nix     |  1 -
 host/x86_64-linux/home/Change.nix         |  1 -
 host/x86_64-linux/home/Cups.nix           |  2 +-
 host/x86_64-linux/home/Invidious.nix      |  1 +
 host/x86_64-linux/home/Paperless.nix      |  6 ++----
 host/x86_64-linux/home/SearX.nix          |  2 +-
 host/x86_64-linux/home/UptimeKuma.nix     |  2 +-
 host/x86_64-linux/home/Vaultwarden.nix    |  2 +-
 host/x86_64-linux/home/nginx/Change.nix   |  2 +-
 host/x86_64-linux/home/nginx/Deluge.nix   |  2 +-
 host/x86_64-linux/home/nginx/Jellyfin.nix |  2 +-
 host/x86_64-linux/laptop/Network.nix      |  1 -
 host/x86_64-linux/max/Network.nix         |  1 -
 host/x86_64-linux/pocket/Network.nix      |  1 -
 host/x86_64-linux/work/Network.nix        |  7 +++----
 system/Sshd.nix                           |  4 ----
 18 files changed, 23 insertions(+), 35 deletions(-)

diff --git a/home/file/ssh/config b/home/file/ssh/config
index 82b9a0f..1495624 100644
--- a/home/file/ssh/config
+++ b/home/file/ssh/config
@@ -4,12 +4,12 @@ Host *
 	ControlPersist yes
 
 Host dasha
-	HostName 10.0.0.7
+	HostName dasha.local
 	User root
 	Port 22143
 
 Host desktop
-	HostName 10.0.0.3
+	HostName desktop.local
 	User root
 	Port 22143
 
@@ -19,41 +19,41 @@ Host fmpmaven
 	Port 22
 
 Host home
-	HostName 10.0.0.1
+	HostName [fd09:8d46:b26:0:8079:82ff:fe1a:916a]
 	User root
 	Port 22143
 
 Host laptop
-	HostName 192.168.1.9
+	HostName laptop.local
 	User root
 	Port 22143
 
 Host max
-	HostName 10.0.0.13
+	HostName max.local
 	User root
 	Port 22143
 
 Host nixbuilder
-	HostName 10.0.0.1
+	HostName [fd09:8d46:b26:0:8079:82ff:fe1a:916a]
 	User nixbuilder
 	Port 22143
 
 Host pi
-	HostName 192.168.1.6
+	HostName pi.local
 	User root
 	Port 22143
 
 Host pocket
-	HostName 192.168.1.11
+	HostName pocket.local
 	User root
 	Port 22143
 
 Host vpn
-	HostName 194.113.233.38
+	HostName vpn.local
 	User root
 	Port 22143
 
 Host work
-	HostName 192.168.1.5
+	HostName work.local
 	User root
 	Port 22143
diff --git a/host/x86_64-linux/dasha/Network.nix b/host/x86_64-linux/dasha/Network.nix
index b296199..77d1e5a 100644
--- a/host/x86_64-linux/dasha/Network.nix
+++ b/host/x86_64-linux/dasha/Network.nix
@@ -3,7 +3,6 @@
   networking = {
     firewall.extraCommands = ''
       # Local access.
-      iptables  -I INPUT -j ACCEPT -s 10.0.0.0/8
       ip6tables -I INPUT -j ACCEPT -s fd09:8d46:0b26::/48
     '';
   };
diff --git a/host/x86_64-linux/desktop/Network.nix b/host/x86_64-linux/desktop/Network.nix
index b296199..77d1e5a 100644
--- a/host/x86_64-linux/desktop/Network.nix
+++ b/host/x86_64-linux/desktop/Network.nix
@@ -3,7 +3,6 @@
   networking = {
     firewall.extraCommands = ''
       # Local access.
-      iptables  -I INPUT -j ACCEPT -s 10.0.0.0/8
       ip6tables -I INPUT -j ACCEPT -s fd09:8d46:0b26::/48
     '';
   };
diff --git a/host/x86_64-linux/home/Change.nix b/host/x86_64-linux/home/Change.nix
index 48f3868..8149765 100644
--- a/host/x86_64-linux/home/Change.nix
+++ b/host/x86_64-linux/home/Change.nix
@@ -4,7 +4,6 @@
     enable = true;
     baseURL = "change.voronind.com";
     behindProxy = true;
-    listenAddress = "0.0.0.0";
     port = 5001;
   };
 }
diff --git a/host/x86_64-linux/home/Cups.nix b/host/x86_64-linux/home/Cups.nix
index c869e56..8d6fc13 100644
--- a/host/x86_64-linux/home/Cups.nix
+++ b/host/x86_64-linux/home/Cups.nix
@@ -12,7 +12,7 @@ in
     browsing = true;
     defaultShared = true;
     drivers = [ package ];
-    listenAddresses = [ "0.0.0.0:631" ];
+    listenAddresses = [ "[::1]:631" ];
     startWhenNeeded = true;
     stateless = false;
     webInterface = true;
diff --git a/host/x86_64-linux/home/Invidious.nix b/host/x86_64-linux/home/Invidious.nix
index 7e5f9e6..cb5e0fe 100644
--- a/host/x86_64-linux/home/Invidious.nix
+++ b/host/x86_64-linux/home/Invidious.nix
@@ -14,6 +14,7 @@
     enable = true;
     domain = "yt.voronind.com";
     package = pkgsMaster.invidious;
+    address = "::1";
     port = 3001;
     nginx.enable = false;
     database = {
diff --git a/host/x86_64-linux/home/Paperless.nix b/host/x86_64-linux/home/Paperless.nix
index 76753d8..4a06413 100644
--- a/host/x86_64-linux/home/Paperless.nix
+++ b/host/x86_64-linux/home/Paperless.nix
@@ -2,10 +2,8 @@
 {
   services.paperless = {
     enable = true;
-    address = "0.0.0.0";
-    dataDir = "/var/lib/paperless";
-    # port         = cfg.port;
-    passwordFile = pkgs.writeText "PaperlessPassword" "root"; # NOTE: Only for initial setup, change later.
+    address = "[::1]";
+    passwordFile = pkgs.writeText "PaperlessPassword" "root"; # WARN: Only for initial setup, change later.
     settings = {
       PAPERLESS_ADMIN_USER = "root";
       PAPERLESS_DBHOST = "/run/postgresql";
diff --git a/host/x86_64-linux/home/SearX.nix b/host/x86_64-linux/home/SearX.nix
index a22bd80..e37ce15 100644
--- a/host/x86_64-linux/home/SearX.nix
+++ b/host/x86_64-linux/home/SearX.nix
@@ -11,7 +11,7 @@
         instance_name = "SearX";
       };
       server = {
-        # bind_address    = cfg.address;
+        bind_address = "::1";
         image_proxy = false;
         limiter = false;
         method = "GET";
diff --git a/host/x86_64-linux/home/UptimeKuma.nix b/host/x86_64-linux/home/UptimeKuma.nix
index eddee7a..a7288c6 100644
--- a/host/x86_64-linux/home/UptimeKuma.nix
+++ b/host/x86_64-linux/home/UptimeKuma.nix
@@ -5,7 +5,7 @@
     settings = {
       DATA_DIR = "/var/lib/uptime-kuma/";
       PORT = "64901";
-      # HOST = cfg.address;
+      HOST = "::1";
     };
   };
 
diff --git a/host/x86_64-linux/home/Vaultwarden.nix b/host/x86_64-linux/home/Vaultwarden.nix
index 5e2e443..41d8453 100644
--- a/host/x86_64-linux/home/Vaultwarden.nix
+++ b/host/x86_64-linux/home/Vaultwarden.nix
@@ -7,7 +7,7 @@
     config = {
       DATA_FOLDER = "/var/lib/vaultwarden";
       DOMAIN = "https://pass.voronind.com";
-      # ROCKET_ADDRESS    = cfg.address;
+      ROCKET_ADDRESS = "::1";
       ROCKET_PORT = 8001;
       SIGNUPS_ALLOWED = false;
       WEB_VAULT_ENABLED = true;
diff --git a/host/x86_64-linux/home/nginx/Change.nix b/host/x86_64-linux/home/nginx/Change.nix
index fa12d64..f819e3e 100644
--- a/host/x86_64-linux/home/nginx/Change.nix
+++ b/host/x86_64-linux/home/nginx/Change.nix
@@ -8,7 +8,7 @@
       allow fd09:8d46:b26::/48;
       deny all;
 
-      proxy_pass http://[::1]:5001$request_uri;
+      proxy_pass http://127.0.0.1:5001$request_uri;
 
       add_header Referrer-Policy 'origin';
     }
diff --git a/host/x86_64-linux/home/nginx/Deluge.nix b/host/x86_64-linux/home/nginx/Deluge.nix
index 8e501be..4978671 100644
--- a/host/x86_64-linux/home/nginx/Deluge.nix
+++ b/host/x86_64-linux/home/nginx/Deluge.nix
@@ -7,7 +7,7 @@
       allow 10.0.0.0/8;
       allow fd09:8d46:b26::/48;
       deny all;
-      proxy_pass http://[::1]:8112$request_uri;
+      proxy_pass http://127.0.0.1:8112$request_uri;
     }
 
     ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem;
diff --git a/host/x86_64-linux/home/nginx/Jellyfin.nix b/host/x86_64-linux/home/nginx/Jellyfin.nix
index d80b085..a7e6140 100644
--- a/host/x86_64-linux/home/nginx/Jellyfin.nix
+++ b/host/x86_64-linux/home/nginx/Jellyfin.nix
@@ -7,7 +7,7 @@
       allow 10.0.0.0/8;
       allow fd09:8d46:b26::/48;
       deny all;
-      proxy_pass http://[::1]:8096$request_uri;
+      proxy_pass http://127.0.0.1:8096$request_uri;
     }
 
     ssl_certificate /etc/letsencrypt/live/voronind.com/fullchain.pem;
diff --git a/host/x86_64-linux/laptop/Network.nix b/host/x86_64-linux/laptop/Network.nix
index b296199..77d1e5a 100644
--- a/host/x86_64-linux/laptop/Network.nix
+++ b/host/x86_64-linux/laptop/Network.nix
@@ -3,7 +3,6 @@
   networking = {
     firewall.extraCommands = ''
       # Local access.
-      iptables  -I INPUT -j ACCEPT -s 10.0.0.0/8
       ip6tables -I INPUT -j ACCEPT -s fd09:8d46:0b26::/48
     '';
   };
diff --git a/host/x86_64-linux/max/Network.nix b/host/x86_64-linux/max/Network.nix
index b296199..77d1e5a 100644
--- a/host/x86_64-linux/max/Network.nix
+++ b/host/x86_64-linux/max/Network.nix
@@ -3,7 +3,6 @@
   networking = {
     firewall.extraCommands = ''
       # Local access.
-      iptables  -I INPUT -j ACCEPT -s 10.0.0.0/8
       ip6tables -I INPUT -j ACCEPT -s fd09:8d46:0b26::/48
     '';
   };
diff --git a/host/x86_64-linux/pocket/Network.nix b/host/x86_64-linux/pocket/Network.nix
index b296199..77d1e5a 100644
--- a/host/x86_64-linux/pocket/Network.nix
+++ b/host/x86_64-linux/pocket/Network.nix
@@ -3,7 +3,6 @@
   networking = {
     firewall.extraCommands = ''
       # Local access.
-      iptables  -I INPUT -j ACCEPT -s 10.0.0.0/8
       ip6tables -I INPUT -j ACCEPT -s fd09:8d46:0b26::/48
     '';
   };
diff --git a/host/x86_64-linux/work/Network.nix b/host/x86_64-linux/work/Network.nix
index 7ec16f0..77d1e5a 100644
--- a/host/x86_64-linux/work/Network.nix
+++ b/host/x86_64-linux/work/Network.nix
@@ -2,9 +2,8 @@
 {
   networking = {
     firewall.extraCommands = ''
-      			# Ssh access.
-      			iptables  -I INPUT -j ACCEPT -s 10.0.0.0/8          -p tcp --dport 22143
-      			ip6tables -I INPUT -j ACCEPT -s fd09:8d46:0b26::/48 -p tcp --dport 22143
-      		'';
+      # Local access.
+      ip6tables -I INPUT -j ACCEPT -s fd09:8d46:0b26::/48
+    '';
   };
 }
diff --git a/system/Sshd.nix b/system/Sshd.nix
index 57bdb03..5382f4a 100644
--- a/system/Sshd.nix
+++ b/system/Sshd.nix
@@ -6,10 +6,6 @@
     allowSFTP = true;
     ports = [ 22143 ];
     listenAddresses = [
-      {
-        addr = "0.0.0.0";
-        port = 22143;
-      }
       {
         addr = "[::]";
         port = 22143;