Open firewall ports

clamav.nix

@@ -35,6 +35,12 @@ in {
       };
     };
 
+    networking.firewall = {
+      enable = true;
+      allowedTCPPorts = [ cfg.port ];
+      allowedUDPPorts = [ cfg.port ];
+    };
+
     systemd.tmpfiles.rules =
       [ "d ${cfg.state-directory} 0750 clamav clamav - -" ];
 

dkim.nix

@@ -75,6 +75,12 @@ in {
   };
 
   config = mkIf cfg.enable {
+    networking.firewall = {
+      enable = true;
+      allowedTCPPorts = [ cfg.port ];
+      allowedUDPPorts = [ cfg.port ];
+    };
+
     services.opendkim = {
       enable = true;
       selector = cfg.selector;

mail-server.nix

@@ -412,11 +412,6 @@ in {
                 imports = [ ./rspamd.nix ];
                 boot.tmp.useTmpfs = true;
                 system.nssModules = lib.mkForce [ ];
-                networking.firewall = {
-                  enable = true;
-                  allowedTCPPorts = [ metricsPort antispamPort ];
-                  allowedUDPPorts = [ antispamPort ];
-                };
                 fudo.mail.rspamd = {
                   enable = true;
                   ports = {

rspamd.nix

@@ -45,13 +45,20 @@ in {
   };
 
   config = mkIf cfg.enable {
-    services.prometheus.exporters.rspamd = {
+    networking.firewall = {
+      enable = true;
+      allowedTCPPorts = with cfg.ports; [ metrics controller milter ];
+      allowedUDPPorts = with cfg.ports; [ controller milter ];
+    };
+
+    services = {
+      prometheus.exporters.rspamd = {
         enable = true;
         listenAddress = "127.0.0.1";
         port = cfg.ports.metrics;
       };
 
-    services.rspamd = {
+      rspamd = {
         enable = true;
 
         locals = {
@@ -277,4 +284,5 @@ in {
         };
       };
     };
+  };
 }