fix(uni): disable access by default

2026-02-09 04:19:19 -08:00 · 2024-02-29 11:47:17 -08:00 · 2024-02-29 11:47:17 -08:00 · d66ab782d4
commit d66ab782d4
parent de44c70844
1 changed files with 25 additions and 29 deletions
--- a/nixos/access/unifi.nix
+++ b/nixos/access/unifi.nix
@ -4,14 +4,16 @@
  ...
 }: let
  inherit (lib.options) mkOption mkEnableOption;
-  inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault;
-  inherit (lib.lists) concatMap;
+  inherit (lib.modules) mkIf mkDefault mkOptionDefault;
  inherit (config.services) nginx tailscale unifi;
  access = nginx.access.unifi;
 in {
  options.services.nginx.access.unifi = with lib.types; {
-    global.enable = mkEnableOption "global access" // {
-      default = access.useACMEHost != null;
+    global = {
+      enable = mkEnableOption "global access" // {
+        default = access.useACMEHost != null;
+      };
+      management = mkEnableOption "global management port access";
    };
    host = mkOption {
      type = str;
@ -55,45 +57,39 @@ in {
          proxyPass = access.url;
        };
      };
-      streamListen = { config, ... }: {
-        listen = concatMap (addr: [
-          {
-            inherit addr;
-            port = 80;
-            ssl = false;
-          }
-          (mkIf (config.addSSL || config.forceSSL) {
-            inherit addr;
-            port = 443;
-            ssl = true;
-          })
-          (mkIf (config.addSSL || config.forceSSL) {
-            inherit addr;
-            port = access.managementPort;
-            ssl = true;
-          })
-        ]) nginx.defaultListenAddresses;
-      };
    in {
-      ${access.domain} = mkIf access.global.enable (mkMerge [ {
-        vouch.enable = true;
+      "${access.domain}@management" = mkIf access.global.management {
+        listen = map (addr: {
+          inherit addr;
+          port = access.managementPort;
+          ssl = true;
+        }) nginx.defaultListenAddresses;
+        serverName = access.domain;
+        default = mkDefault true;
        forceSSL = mkDefault true;
        kTLS = mkDefault true;
        useACMEHost = mkDefault access.useACMEHost;
        inherit locations extraConfig;
-      } streamListen ]);
-      ${access.localDomain} = mkMerge [ {
+      };
+      ${access.domain} = mkIf (access.global.enable || access.useACMEHost != null) {
+        vouch.enable = mkDefault true;
+        forceSSL = mkDefault true;
+        kTLS = mkDefault true;
+        useACMEHost = mkDefault access.useACMEHost;
+        inherit locations extraConfig;
+      };
+      ${access.localDomain} = {
        serverAliases = mkIf tailscale.enable [ access.tailDomain ];
        useACMEHost = mkDefault access.useACMEHost;
        addSSL = mkDefault (access.useACMEHost != null);
        kTLS = mkDefault true;
        local.enable = true;
        inherit locations extraConfig;
-      } streamListen ];
+      };
    };
  };
  config.networking.firewall = {
    interfaces.local.allowedTCPPorts = [ access.managementPort ];
-    allowedTCPPorts = mkIf access.global.enable [ access.managementPort ];
+    allowedTCPPorts = mkIf access.global.management [ access.managementPort ];
  };
 }