Add dots.ports module: fleet-wide service port registry (nixnuc + hetznix01)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-31 23:55:20 -04:00 · 2026-05-28 22:42:49 -04:00 · 2026-05-28 22:42:49 -04:00 · 94fdc678e4
commit 94fdc678e4
parent 84a5c695b0
15 changed files with 353 additions and 135 deletions
--- a/modules/hosts/nixos/hetznix01/ports.nix
+++ b/modules/hosts/nixos/hetznix01/ports.nix
@ -0,0 +1,82 @@
+{
+  config.dots.ports = {
+    # Firewalled TCP services (email)
+    smtp = {
+      port = 25;
+      openFirewall = true;
+    };
+    imap = {
+      port = 143;
+      openFirewall = true;
+    };
+    smtp-tls = {
+      port = 465;
+      openFirewall = true;
+    };
+    smtp-starttls = {
+      port = 587;
+      openFirewall = true;
+    };
+    imaps = {
+      port = 993;
+      openFirewall = true;
+    };
+
+    # MQTT (via EMQX container)
+    mqtt = {
+      port = 1883;
+      openFirewall = true;
+    };
+    mqtt-tls = {
+      port = 8883;
+      openFirewall = true;
+    };
+    mqtt-ws = {
+      port = 9001;
+      openFirewall = true;
+    };
+
+    # Bitcoin / Lightning (proxied to umbrel on tailnet)
+    bitcoin-core = {
+      port = 8333;
+      openFirewall = true;
+    };
+    bitcoin-knots = {
+      port = 9333;
+      openFirewall = true;
+    };
+    lnd = {
+      port = 9735;
+      openFirewall = true;
+    };
+
+    # Matrix federation listener (nginx terminates, proxies to matrix-synapse)
+    matrix-federation = {
+      port = 8448;
+      openFirewall = true;
+    };
+
+    # Internal-only TCP services (proxied via nginx, not firewalled)
+    matrix-synapse = {
+      port = 8008;
+    };
+    owntracks-frontend = {
+      port = 8082;
+    };
+    owntracks-recorder = {
+      port = 8083;
+    };
+    plausible = {
+      port = 8001;
+    };
+    uptime-kuma = {
+      port = 3001;
+    };
+    collabora = {
+      port = 9980;
+    };
+    emqx-admin = {
+      port = 18083;
+    };
+  };
+}