From a09dd925ac4054288e1c0e7f64d644422584574a Mon Sep 17 00:00:00 2001
From: Kyle Isom <kyle@imap.cc>
Date: Wed, 25 Mar 2026 19:51:38 -0700
Subject: [PATCH] rift: open firewall for mc-proxy (443, 8443, 9443) and exod
 (8080, 9090)

Remove implicit reliance on temp iptables rules. All externally
accessible ports are now declared in NixOS config.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 hw/rift/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/rift/default.nix b/hw/rift/default.nix
index 30d3b5d..9a77372 100644
--- a/hw/rift/default.nix
+++ b/hw/rift/default.nix
@@ -10,8 +10,8 @@
     # Allow rootless containers (Podman) to bind port 53 for CoreDNS (MCNS precursor).
     boot.kernel.sysctl."net.ipv4.ip_unprivileged_port_start" = 53;
 
-    # Open DNS port for LAN clients querying CoreDNS.
-    networking.firewall.allowedTCPPorts = [ 53 ];
+    # Open ports: DNS (53), mc-proxy (443, 8443, 9443), exod (8080, 9090).
+    networking.firewall.allowedTCPPorts = [ 53 443 8443 9443 8080 9090 ];
     networking.firewall.allowedUDPPorts = [ 53 ];
   };
 }