move some things out of the vpn namespace

sys/machines/hopper/lab/caddy.nix

@@ -5,6 +5,7 @@
 }: let
   inherit (vars.common) domain;
   caddyPort = 8336;
+  bridge = config.vpnNamespaces."wg".bridgeAddress;
 in {
   systemd.services.caddy.vpnConfinement = {
     enable = true;
@@ -26,7 +27,7 @@ in {
         extraConfig = ''
           reverse_proxy {
             header_up X-Forwarded-For {http.request.header.CF-Connecting-IP}
-            to localhost:8096
+            to ${bridge}:8096
           }
         '';
       };
@@ -46,13 +47,13 @@ in {
       prometheus = {
         hostName = "prometheus.hopper.xun.host:80";
         extraConfig = ''
-          reverse_proxy ${config.vpnNamespaces."wg".bridgeAddress}:${toString config.services.prometheus.port}
+          reverse_proxy ${bridge}:${toString config.services.prometheus.port}
         '';
       };
       adguard = {
         hostName = "adguard.hopper.xun.host:80";
         extraConfig = ''
-          reverse_proxy ${config.vpnNamespaces."wg".bridgeAddress}:${toString config.services.adguardhome.port}
+          reverse_proxy ${bridge}:${toString config.services.adguardhome.port}
         '';
       };
       transmission = {
@@ -64,7 +65,7 @@ in {
       dash = {
         hostName = "dash.hopper.xun.host:80";
         extraConfig = ''
-          reverse_proxy localhost:${toString config.services.homepage-dashboard.listenPort}
+          reverse_proxy ${bridge}:${toString config.services.homepage-dashboard.listenPort}
         '';
       };
       vw = {
@@ -73,7 +74,7 @@ in {
         extraConfig = ''
           reverse_proxy {
             header_up X-Real-Ip {http.request.header.CF-Connecting-IP}
-            to localhost:${toString config.services.vaultwarden.config.ROCKET_PORT}
+            to ${bridge}:${toString config.services.vaultwarden.config.ROCKET_PORT}
           }
         '';
       };

sys/machines/hopper/lab/homepage.nix

@@ -5,11 +5,6 @@
 }: let
   inherit (vars.common) domain;
 in {
-  systemd.services.homepage-dashboard.vpnConfinement = {
-    enable = true;
-    vpnNamespace = "wg";
-  };
-
   systemd.services.homepage-dashboard.environment.HOMEPAGE_ALLOWED_HOSTS = "dash.hopper.xun.host";
 
   services.homepage-dashboard = {

sys/machines/hopper/lab/jellyfin.nix

@@ -1,8 +1,4 @@
 {
-  systemd.services.jellyfin.vpnConfinement = {
-    enable = true;
-    vpnNamespace = "wg";
-  };
   services.jellyfin.enable = true;
 
   services.restic.backups.hopper.paths = [

sys/machines/hopper/lab/vaultwarden.nix

@@ -1,10 +1,6 @@
 {config, ...}: {
   systemd.services.vaultwarden = {
     serviceConfig.EnvironmentFile = config.sops.secrets.vaultwarden-env.path;
-    vpnConfinement = {
-      enable = true;
-      vpnNamespace = "wg";
-    };
   };
   # NOTE send doesnt work, probably due to my cloudflare port rewriting rules
   services.vaultwarden = {

sys/machines/hopper/lab/vpn-namespace.nix

@@ -7,6 +7,9 @@
     allowTcpFromVPNToDefaultPorts = [
       config.services.prometheus.port
       config.services.adguardhome.port
+      config.services.vaultwarden.config.ROCKET_PORT
+      config.services.homepage-dashboard.listenPort
+      8096 # jellyfin port
     ];
   in {
     extraCommands = builtins.concatStringsSep "\n" (map