From 2bd75fef39494f4af9da08f0295ed25baed1e4a1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Samuel=20=C5=A0tancl?= <samuel@archte.ch>
Date: Thu, 24 Jul 2025 01:17:19 +0200
Subject: [PATCH] Firewall settings (open 80 and 443), sudo rule for checking
 queue status, simplify ssh keygen

---
 laravel.nix | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/laravel.nix b/laravel.nix
index 0ba5bf5..a0b1ad1 100644
--- a/laravel.nix
+++ b/laravel.nix
@@ -18,12 +18,12 @@
 let
   mkUsername = siteName: "laravel-${siteName}";
 in {
-  # Ensure nginx is enabled
   services.nginx.enable = true;
-
-  # Setup ACME if SSL is enabled
   security.acme.acceptTerms = lib.mkIf ssl true;
 
+  # This doesn't override the array, only merges 80 and potentially 443 into it
+  networking.firewall.allowedTCPPorts = [ 80 ] ++ lib.optionals ssl [ 443 ];
+
   # Create welcome message for user
   environment.etc."laravel-${name}-bashrc".text = ''
     # Laravel site welcome message
@@ -33,6 +33,7 @@ in {
     echo "Site: /srv/${name}"
     echo "Restart php-fpm: sudo systemctl reload phpfpm-${name}"
     ${lib.optionalString queue ''echo "Restart queue: php artisan queue:restart"''}
+    ${lib.optionalString queue ''echo "Queue status: sudo systemctl status laravel-queue-${name}"''}
     ${lib.optionalString generateSshKey ''echo "SSH public key: cat ~/.ssh/id_ed25519.pub"''}
     echo "---"
   '';
@@ -45,7 +46,6 @@ in {
     "C /home/${mkUsername name}/.bashrc 0644 ${mkUsername name} ${mkUsername name} - /etc/laravel-${name}-bashrc"
   ];
 
-  # Laravel cron job for scheduler
   services.cron.systemCronJobs = [
     "* * * * * ${mkUsername name} cd /srv/${name} && ${phpPackage}/bin/php artisan schedule:run > /dev/null 2>&1"
   ];
@@ -87,7 +87,7 @@ in {
       if [[ ! -f "$KEY_FILE" ]]; then
         echo "Generating SSH key for ${mkUsername name}"
         mkdir -p "$SSH_DIR"
-        ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f "$KEY_FILE" -N "" -C "${mkUsername name}@$(hostname)"
+        ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f "$KEY_FILE" -N "" -C "${mkUsername name}"
         chown -R ${mkUsername name}:${mkUsername name} "$SSH_DIR"
         chmod 700 "$SSH_DIR"
         chmod 600 "$KEY_FILE"
@@ -173,7 +173,7 @@ in {
   # Add site group to nginx service
   systemd.services.nginx.serviceConfig.SupplementaryGroups = [ (mkUsername name) ];
 
-  # Sudo rule for reloading PHP-FPM
+  # Sudo rules for service management
   security.sudo.extraRules = [{
     users = [ (mkUsername name) ];
     commands = [
@@ -185,6 +185,15 @@ in {
         command = "/run/current-system/sw/bin/systemctl reload phpfpm-${name}.service";
         options = [ "NOPASSWD" ];
       }
+    ] ++ lib.optionals queue [
+      {
+        command = "/run/current-system/sw/bin/systemctl status laravel-queue-${name}";
+        options = [ "NOPASSWD" ];
+      }
+      {
+        command = "/run/current-system/sw/bin/systemctl status laravel-queue-${name}.service";
+        options = [ "NOPASSWD" ];
+      }
     ];
   }];
 }