From e8f6f4e96f36b09fd30072e7b8297707c759befa Mon Sep 17 00:00:00 2001
From: Kabbone <tobias@opel-online.de>
Date: Fri, 31 May 2024 19:46:43 +0200
Subject: [PATCH] services: hydra: fix reverse proxy and firewall

---
 hosts/dmz/hardware-configuration.nix | 2 +-
 modules/services/dmz/hydra.nix       | 6 ++----
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/hosts/dmz/hardware-configuration.nix b/hosts/dmz/hardware-configuration.nix
index 74d18b4..4261254 100644
--- a/hosts/dmz/hardware-configuration.nix
+++ b/hosts/dmz/hardware-configuration.nix
@@ -97,7 +97,7 @@
     firewall = {
       enable = true;
       allowedUDPPorts = [  ];
-      allowedTCPPorts = [  ];
+      allowedTCPPorts = [ 80 443 ];
     };
   };
 
diff --git a/modules/services/dmz/hydra.nix b/modules/services/dmz/hydra.nix
index 76117a6..039c69c 100644
--- a/modules/services/dmz/hydra.nix
+++ b/modules/services/dmz/hydra.nix
@@ -20,9 +20,7 @@
           "${config.services.hydra.hydraURL}" = {
             enableACME = true;
             forceSSL = true;
-            listen = [ {
-                addr = "127.0.0.1"; port = 3000;
-            } ];
+            locations."/".proxyPass = "http://localhost:3000";
           };
         };
       };
@@ -30,7 +28,7 @@
 
     security.acme = {
       defaults.email = "webmaster@kabtop.de";
-      defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
+      #defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
       acceptTerms = true;
       certs.${config.services.hydra.hydraURL} = {
         dnsProvider = "netcup";