From 7c047a16b7bb12b63481c5bfae62e388bdc96936 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sun, 5 Apr 2026 14:29:09 +0000
Subject: [PATCH] Security: restrict RTL, Mempool ports to LAN-only; remove
 global firewall rules

Agent-Logs-Url: https://github.com/naturallaw777/staging_alpha/sessions/1110322d-bc41-4d5d-9a4c-e5f7a5d2ef57

Co-authored-by: naturallaw777 <99053422+naturallaw777@users.noreply.github.com>
---
 modules/core/caddy.nix      | 4 ++--
 modules/core/sovran-hub.nix | 1 -
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/modules/core/caddy.nix b/modules/core/caddy.nix
index 7f4d811..b4eabec 100755
--- a/modules/core/caddy.nix
+++ b/modules/core/caddy.nix
@@ -156,7 +156,7 @@ EOF
       # ── RTL (LAN access) ────────────────────────────
       cat >> /run/caddy/Caddyfile <<EOF
 
-:3051 {
+http://127.0.0.1:3051, http://sovransystemsos.local:3051 {
   reverse_proxy :3050
   encode gzip zstd
 }
@@ -165,7 +165,7 @@ EOF
       # ── Mempool (LAN access) ────────────────────────
       cat >> /run/caddy/Caddyfile <<EOF
 
-:60847 {
+http://127.0.0.1:60847, http://sovransystemsos.local:60847 {
   reverse_proxy :60845
   encode gzip zstd
 }
diff --git a/modules/core/sovran-hub.nix b/modules/core/sovran-hub.nix
index fa83a94..88d2bb5 100644
--- a/modules/core/sovran-hub.nix
+++ b/modules/core/sovran-hub.nix
@@ -293,6 +293,5 @@ in
       };
     };
 
-    networking.firewall.allowedTCPPorts = [ 3051 8937 60847 ];
   };
 }