feat(security): expose internal services and DoH to public

- Remove `internalOnly = true` flag from Vaultwarden, Forgejo, and AdGuard Home to make them publicly accessible again. - This also re-exposes the DNS-over-HTTPS (DoH) endpoint on the AdGuard Home domain.
2026-03-19 22:48:14 +01:00 · 2026-03-19 22:48:14 +01:00 · adb8ddb611
commit adb8ddb611
parent 5d177a0d5c
3 changed files with 1 additions and 4 deletions
--- a/modules/adguard.nix
+++ b/modules/adguard.nix
@ -185,10 +185,9 @@ in
      iptables -t nat -D PREROUTING -i tailscale0 -p tcp --dport 53 -j REDIRECT --to-ports 5353 || true
    '';

-    # Nginx reverse proxy for AdGuard Home Web UI (restricted to Tailscale)
+    # Nginx reverse proxy for AdGuard Home Web UI and DoH
    myModules.nginx.domains."${cfg.domain}" = {
      port = cfg.port;
-      internalOnly = true;
      contentSecurityPolicy = null; # AdGuard Home handles its own CSP
    };