From d87b210c46e6f9f995f223a7abf307574b202010 Mon Sep 17 00:00:00 2001
From: arcnmx <git@git.arcn.mx>
Date: Sat, 13 Jan 2024 12:44:02 -0800
Subject: [PATCH] fix: service firewall settings

---
 modules/nixos/nginx-vouch.nix | 3 ++-
 nixos/access/zigbee2mqtt.nix  | 5 +++--
 nixos/vouch.nix               | 1 +
 nixos/zigbee2mqtt.nix         | 1 -
 4 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/modules/nixos/nginx-vouch.nix b/modules/nixos/nginx-vouch.nix
index 40be5d13..d32a335a 100644
--- a/modules/nixos/nginx-vouch.nix
+++ b/modules/nixos/nginx-vouch.nix
@@ -28,7 +28,8 @@ in {
             vouch = mkIf vouch-proxy.enable {
               proxyOrigin = let
                 inherit (vouch-proxy.settings.vouch) listen port;
-              in mkOptionDefault "http://${listen}:${toString port}";
+                host = if listen == "0.0.0.0" || listen == "[::]" then "localhost" else listen;
+              in mkOptionDefault "http://${host}:${toString port}";
               authUrl = mkOptionDefault vouch-proxy.authUrl;
               url = mkOptionDefault vouch-proxy.url;
             };
diff --git a/nixos/access/zigbee2mqtt.nix b/nixos/access/zigbee2mqtt.nix
index 50f4c2e9..a719fcf8 100644
--- a/nixos/access/zigbee2mqtt.nix
+++ b/nixos/access/zigbee2mqtt.nix
@@ -3,14 +3,15 @@
   lib,
   ...
 }:
-with lib; let
+let
+  inherit (lib.modules) mkDefault;
   cfg = config.services.zigbee2mqtt;
 in {
   services.nginx.virtualHosts.${cfg.domain} = {
     vouch.enable = true;
     locations = {
       "/" = {
-        proxyPass = "http://127.0.0.1:${toString cfg.settings.frontend.port}";
+        proxyPass = mkDefault "http://127.0.0.1:${toString cfg.settings.frontend.port}";
         extraConfig = ''
           proxy_set_header Upgrade $http_upgrade;
           proxy_set_header Connection "upgrade";
diff --git a/nixos/vouch.nix b/nixos/vouch.nix
index 3a913985..bb372fdc 100644
--- a/nixos/vouch.nix
+++ b/nixos/vouch.nix
@@ -10,6 +10,7 @@ in {
     enable = mkDefault true;
     domain = mkDefault "login.${config.networking.domain}";
     settings = {
+      vouch.listen = mkDefault "0.0.0.0";
       vouch.cookie.secure = mkDefault false;
     };
     enableSettingsSecrets = mkDefault true;
diff --git a/nixos/zigbee2mqtt.nix b/nixos/zigbee2mqtt.nix
index dea4e7c0..921f7444 100644
--- a/nixos/zigbee2mqtt.nix
+++ b/nixos/zigbee2mqtt.nix
@@ -15,7 +15,6 @@ in {
 
   services.zigbee2mqtt = {
     enable = mkDefault true;
-    openFirewall = mkDefault true;
     domain = mkDefault "z2m.${config.networking.domain}";
     settings = {
       advanced = {