Deny most hosts publicly

2023-03-04 16:29:32 +01:00 · 2023-03-04 16:29:32 +01:00 · 5bddda9d31
parent 793045c73a
commit 5bddda9d31
4 changed files with 26 additions and 18 deletions
--- a/common/default.nix
+++ b/common/default.nix
@ -69,8 +69,12 @@ with lib; {
      });
      default = [];
    };
-    privateListenAddresses = mkOption {
+    headscaleIPs = mkOption {
      type = types.listOf types.string;
+      default = [
+        "100.64.7.0/24"
+        "fd7a:115c:a1e0:77::/64"
+      ];
    };
    virtualHosts = mkOption {
      type = types.attrs;
@ -108,6 +112,16 @@ with lib; {
        # generate with:
        # (echo '{' && tailscale status -json | jq -r '.Self,.Peer[] | .DNSName[:-17] + " = { A = \"" + .TailscaleIPs[0] + "\"; AAAA = \"" + .TailscaleIPs[1] + "\";};"' && echo '}') > common/tailscale.nix
        tailscale = import ./tailscale.nix;
+        publicAliases = {
+          hera = [
+            "blog"
+            "cloud"
+            "git"
+            "lists"
+            "matrix"
+            "rpg"
+          ];
+        };
        aliases = {
          hera = [
            "alerts"
--- a/nixos/roles/default.nix
+++ b/nixos/roles/default.nix
@ -49,12 +49,6 @@ in {

  m-0 = {
    virtualHosts = lib.genAttrs (hosts.aliases.${hostName} or []) (name: "${name}.maralorn.de");
-    privateListenAddresses = [
-      "127.0.0.1"
-      "[::1]"
-      "[${hosts.tailscale.${hostName}.AAAA}]"
-      hosts.tailscale.${hostName}.A
-    ];
  };

  security.acme = {
@ -189,6 +183,16 @@ in {
      };
    };
    nginx = {
+      virtualHosts =
+        lib.genAttrs
+        (map (name: "${name}.maralorn.de") (builtins.filter (name: !(builtins.elem name hosts.publicAliases.${hostName} or []))
+            (hosts.aliases.${hostName} or []))) (_: {
+          extraConfig = ''
+            satisfy any;
+            ${lib.concatMapStringsSep "\n" (ip_range: "allow ${ip_range};") config.m-0.headscaleIPs}
+            deny all;
+          '';
+        });
      statusPage = true;
      recommendedOptimisation = true;
      recommendedGzipSettings = true;
--- a/nixos/roles/headscale.nix
+++ b/nixos/roles/headscale.nix
@ -29,10 +29,7 @@ in {
        };
        logtail.enabled = false;
        metrics_listen_addr = "[::1]:9098";
-        ip_prefixes = [
-          "100.64.7.0/24"
-          "fd7a:115c:a1e0:77::/64"
-        ];
+        ip_prefixes = config.m-0.headscaleIPs;
      };
    };

--- a/nixos/roles/monitoring/default.nix
+++ b/nixos/roles/monitoring/default.nix
@ -6,13 +6,6 @@
  commonOptions = {
    enableACME = true;
    forceSSL = true;
-    extraConfig = ''
-      satisfy any;
-      allow ${config.m-0.prefix}::/64;
-      allow ${config.m-0.hosts.tailscale.hera.AAAA}/64;
-      allow ${config.m-0.hosts.tailscale.hera.A}/24;
-      deny all;
-    '';
    basicAuthFile = config.age.secrets."basic-auth/monitoring".path;
  };
 in {