From 4bc68eeeafc1ee1f7efc6b75ea9ea1e90936e67f Mon Sep 17 00:00:00 2001
From: soraefir <soraefir+git@helcel>
Date: Fri, 8 May 2026 01:34:17 +0200
Subject: [PATCH] more fix

---
 modules/server/nftables/default.nix | 8 +++++++-
 systems/sandbox/cfg.nix             | 1 -
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/modules/server/nftables/default.nix b/modules/server/nftables/default.nix
index 222fa50..ea206e9 100644
--- a/modules/server/nftables/default.nix
+++ b/modules/server/nftables/default.nix
@@ -1,6 +1,12 @@
 { config, lib, ... }:
 let
  cfg = config.syscfg.server;
+
+  DBlistNames = config.syscfg.server.db;
+  DBcontainerNames = lib.mapAttrsToList 
+    (name: cfg: name) 
+    (lib.filterAttrs (name: cfg: cfg.db or false) config.syscfg.server.containers);
+  DBallApps = lib.unique (DBlistNames ++ DBcontainerNames);
 in{
     boot.kernel.sysctl = {
       "net.ipv4.ip_forward" = 1;
@@ -15,7 +21,7 @@ in{
           ct state established,related accept
           iifname "lo" accept
           tcp dport {422, 22} accept
-          ${if builtins.length cfg.db > 0 then ''tcp dport {5432, 6379} ip saddr { 10.0.0.0/8, 169.254.0.0/16 } accept'' else ""}
+          ${if builtins.length DBallApps > 0 then ''tcp dport {5432, 6379} ip saddr { 10.0.0.0/8, 169.254.0.0/16 } accept'' else ""}
           ${if cfg.web then ''tcp dport {80, 443} accept
           udp dport {80, 443} accept'' else ""}
           ${if cfg.wireguard then ''tcp dport {1515} accept
diff --git a/systems/sandbox/cfg.nix b/systems/sandbox/cfg.nix
index 63c1f7f..ac76081 100644
--- a/systems/sandbox/cfg.nix
+++ b/systems/sandbox/cfg.nix
@@ -22,7 +22,6 @@
       openssh = true;
       web = true;
       sops = true;
-      db = [ "_" ];
 
       hostDomain = "test.helcel.net";
       shortName = "testcel";