From 3c46d9e066e6b7d5105f1433d486459780581f92 Mon Sep 17 00:00:00 2001
From: wi11-holdsworth <83637728+wi11-holdsworth@users.noreply.github.com>
Date: Sun, 22 Feb 2026 16:49:11 +1100
Subject: [PATCH] feat: prepare for exposure to the internet

* open ports 80 and 443
* password-protect copyparty and ntfy-sh
* randomise usernames for radicale and copyparty
---
 hosts/server/configuration.nix                |   8 +++++++-
 modules/nixos/features/borgmatic.nix          |   3 +++
 modules/nixos/features/caddy.nix              |   1 +
 modules/nixos/features/copyparty.nix          |   8 ++++----
 modules/nixos/features/ntfy-sh.nix            |  12 ++++++++++++
 secrets/borgmatic-ntfy.age                    |   9 +++++++++
 secrets/{copyparty-will.age => copyparty.age} | Bin
 secrets/radicale.age                          | Bin 492 -> 498 bytes
 secrets/secrets.nix                           |   3 ++-
 9 files changed, 38 insertions(+), 6 deletions(-)
 create mode 100644 secrets/borgmatic-ntfy.age
 rename secrets/{copyparty-will.age => copyparty.age} (100%)

diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix
index aff95a3..a331fc7 100644
--- a/hosts/server/configuration.nix
+++ b/hosts/server/configuration.nix
@@ -33,7 +33,13 @@
     ];
   };
 
-  networking.hostName = "${hostName}";
+  networking = {
+    hostName = "${hostName}";
+    firewall.interfaces."enp2s0".allowedTCPPorts = [
+      80
+      443
+    ];
+  };
 
   # hardened openssh
   services.openssh = {
diff --git a/modules/nixos/features/borgmatic.nix b/modules/nixos/features/borgmatic.nix
index bd45777..6628f8e 100644
--- a/modules/nixos/features/borgmatic.nix
+++ b/modules/nixos/features/borgmatic.nix
@@ -20,6 +20,8 @@
       ntfy = {
         topic = "backups";
         server = config.services.ntfy-sh.settings.base-url;
+        username = "borgmatic";
+        password = "{credential file ${config.age.secrets.borgmatic-ntfy.path}}";
         finish = {
           title = "Ping!";
           message = "Your backups have succeeded :)";
@@ -78,6 +80,7 @@
   # secrets
   age.secrets = {
     "borgmatic".file = ../../../secrets/borgmatic.age;
+    "borgmatic-ntfy".file = ../../../secrets/borgmatic-ntfy.age;
     "borgmatic-pg".file = ../../../secrets/borgmatic-pg.age;
   };
 }
diff --git a/modules/nixos/features/caddy.nix b/modules/nixos/features/caddy.nix
index ca45981..4c8978a 100644
--- a/modules/nixos/features/caddy.nix
+++ b/modules/nixos/features/caddy.nix
@@ -9,6 +9,7 @@
     globalConfig = ''
       auto_https disable_redirects
     '';
+    openFirewall = true;
   };
 
   security.acme = {
diff --git a/modules/nixos/features/copyparty.nix b/modules/nixos/features/copyparty.nix
index 73006f6..ac21d2c 100644
--- a/modules/nixos/features/copyparty.nix
+++ b/modules/nixos/features/copyparty.nix
@@ -25,12 +25,12 @@ in
         rproxy = 1;
       };
 
-      accounts.will.passwordFile = config.age.secrets.copyparty-will.path;
+      accounts.Impatient7119.passwordFile = config.age.secrets.copyparty.path;
 
       volumes."/" = {
         path = "/srv/copyparty";
         access = {
-          A = [ "will" ];
+          A = [ "Impatient7119" ];
         };
       };
     };
@@ -44,8 +44,8 @@ in
   };
 
   # secrets
-  age.secrets."copyparty-will" = {
-    file = ../../../secrets/copyparty-will.age;
+  age.secrets."copyparty" = {
+    file = ../../../secrets/copyparty.age;
     owner = "copyparty";
   };
 
diff --git a/modules/nixos/features/ntfy-sh.nix b/modules/nixos/features/ntfy-sh.nix
index e53a792..b82a4f0 100644
--- a/modules/nixos/features/ntfy-sh.nix
+++ b/modules/nixos/features/ntfy-sh.nix
@@ -10,9 +10,21 @@ in
         base-url = "https://ntfy-sh.fi33.buzz";
         listen-http = ":${toString port}";
         behind-proxy = true;
+        auth-default-access = "deny-all";
+        auth-users = [
+          "Debit3885:$2a$12$ZeFimzdifNFSmf0W2oi.vuZfsqae75md9nhC/Q2BcKMyvDO8T.uEK:admin"
+          "borgmatic:$2a$12$ZeFimzdifNFSmf0W2oi.vuZfsqae75md9nhC/Q2BcKMyvDO8T.uEK:user"
+        ];
+        auth-access = [ "borgmatic:backups:wo" ];
       };
     };
 
+    borgmatic.settings = {
+      source_directories = [
+        "/var/lib/ntfy-sh/user.db"
+      ];
+    };
+
     caddy.virtualHosts."ntfy-sh.fi33.buzz".extraConfig = ''
       reverse_proxy localhost:${toString port}
       tls ${certloc}/cert.pem ${certloc}/key.pem {
diff --git a/secrets/borgmatic-ntfy.age b/secrets/borgmatic-ntfy.age
new file mode 100644
index 0000000..86e7ba8
--- /dev/null
+++ b/secrets/borgmatic-ntfy.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 qLT+DQ GTuLiTsgOVunKC+DyalVPV3gKm3WiKoSIQXg/0ElJF8
+UiOLJdTn4Q5oTkqAtZ6K0uxW+EsrpfA156uC1ncrIY0
+-> ssh-ed25519 7+xRyQ k2ta2Gl7zCvHiv4DwzgRK5REDYayIoTfC32BF5yHxgg
+n7sqfJ6fx/3VnQCD+H4n92ekGdoFCdk/SeXdSU8FZHc
+-> ssh-ed25519 LtK9yQ BQ9U3//Lzx7dX+iDyP2lqx6K860kFTu/iB5uMAskKhA
+xiV+QxL8ffx9n9gIUr5wwQ5zGvZlFsf2DclayQh8SJI
+--- k06SInBOn82DqWfIf4t62pjAZ1R0uWAyQTi5ELDD/6U
+fú _$®T5–6"T­Hô;4}ù<M	 Á/Œ“ð8j¡³?H~Þ„Oó}…bGßj4tnô2mçÁÈC R
\ No newline at end of file
diff --git a/secrets/copyparty-will.age b/secrets/copyparty.age
similarity index 100%
rename from secrets/copyparty-will.age
rename to secrets/copyparty.age
diff --git a/secrets/radicale.age b/secrets/radicale.age
index 172d31eba0748cac13d494a5b0bf4b557552984b..d8553a7cac8c083e62c0e9580b898a09b197b40d 100644
GIT binary patch
delta 451
zcmaFE{E2yjYFwdDh_*|hLbzpBN>HRrifMU}Yh}5Cene_&aGrLufklypcR)#HNN}!^
zzk!jfabTq*S5<gkzJ6kAkcX#na-x5!w!W#ML4bB(m`kWfagevCUzTZVMyRWCT2hk5
z#E;_jQ6@&&ZYf6jxuI#^9u`HJS$=7mPX5Umsii(isZRQ3Dd}FtZe|80`k{eb{`zK4
zzL7~LSp{j{;Spuo`Q8CZxxVRH6)B;XE+(d>F6kLAkrnwN23dhzx^@c1#TmM(DMqHI
zhL#FGCEk{mfeP6rzMc_gQI<i86(t^dRaKSsmAM{)`9|7Kh5jzy+66gjRc5}P5do2T
z875psdH&@tnaNK2RW5<42JY#3{+5Maj#<H8mRY72+U3cWPM*bu+QE^zg%(`8y1ELU
zL7r~<k&yvjImQLyl_^0LX;GmO72cJJei`m*!I9qCjyc7ZuH|Lr0R~*Z7%uI7sA|_0
zb-u@}^2~jM<@+TTNHfN=ylyCa70T5d5#XtQqwz}T$_qcT`<l*puXtkl>;|V~dCNS_
w$?9p@t1ix(of2Q+^vixKmwD&JnSX44@hs7B4gPtw|B!yi3ZbKRkAHsx0Ox?F2mk;8

delta 465
zcmeyw{DyggYQ0a1w`FCZLYY%(c|odQNK#35c~p6RV1ZM5M3i@#p+$soluNl`XtrOX
zyJ>1<xlfQMS7?N}Q?{j9K&i2DmT!r3X?kd~mq~h3TAF`JiEB=}e^sh^Wkx}kc2cMX
zm#&>cadC!jYKoDmsiCDpp-+gmOQ3>Nm~T#?eu=MhR=rt3a7bENqN#JCo2h$FaZ;$I
zwwHdGziX<0az?tBp`$04XQF<tK}AS~S#o+xP*rY~Q&5y=V5)nte^69}dyrQ|R)Be0
zrG<BHiFPEqb>`X?L6w0DE=ECqCdFYTmJt=XepT*y8Ad@a70&tEMcPL7!9k{$1?8c^
z7M4YYMH$Z7T;YKxA#OR9MqYs)W(C2i9u~$CL8W0?Zq6S0StZ)Wq0as;rAhkvp{7Qm
zT)Mit3K`+SZmEf>xy8wTky*i>r3TrhVV02=mI1Co1{S_KA!*u`j;U3pMPa$+TmfML
zGJcoYa|#ZyaRhI%cX$2f_4-Y8<b&u%vbIdgFLuw`-mPF}dF;$~;jn)q9($Ume=xKB
vUdhZPZ?facxr1-gs-_oqpY$^Rz3ud$<d6OfwcG#PTg(ygMbuwtudpQmc5kH7

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 5dc6b1d..b3b9380 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -16,9 +16,10 @@ in
 {
   # keep-sorted start
   "bazarr.age".publicKeys = users;
+  "borgmatic-ntfy.age".publicKeys = users;
   "borgmatic-pg.age".publicKeys = users;
   "borgmatic.age".publicKeys = users;
-  "copyparty-will.age".publicKeys = users;
+  "copyparty.age".publicKeys = users;
   "firefly-db.age".publicKeys = users;
   "firefly.age".publicKeys = users;
   "immich.age".publicKeys = users;