From abc74ceb94c5749fc719991380d2fb3a34c30f64 Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@hoyer.xyz>
Date: Wed, 17 Sep 2025 15:34:09 +0200
Subject: [PATCH] feat: open listen addr and add firewall config

---
 config.nix | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/config.nix b/config.nix
index 44d65e3..119e934 100644
--- a/config.nix
+++ b/config.nix
@@ -12,6 +12,12 @@ in
       description = "Port to listen on for HTTP/SSE server";
     };
 
+    openFirewall = lib.mkOption {
+      default = false;
+      type = lib.types.bool;
+      description = "Whether to open the firewall for the specified port.";
+    };
+
     user = lib.mkOption {
       type = lib.types.str;
       default = "cratedocs-mcp";
@@ -26,13 +32,15 @@ in
   };
 
   config = lib.mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = lib.mkIf cfg.openFirewall [ cfg.port ];
+
     systemd.services.cratedocs-mcp = {
       description = "CrateDocs MCP server";
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
 
       serviceConfig = {
-        ExecStart = "${lib.getExe pkgs.cratedocs-mcp} http -a 127.0.0.1:${toString cfg.port}";
+        ExecStart = "${lib.getExe pkgs.cratedocs-mcp} http -a 0.0.0.0:${toString cfg.port}";
         Restart = "always";
         User = cfg.user;
         Group = cfg.group;