Deny most hosts publicly
This commit is contained in:
parent
793045c73a
commit
5bddda9d31
|
@ -69,8 +69,12 @@ with lib; {
|
|||
});
|
||||
default = [];
|
||||
};
|
||||
privateListenAddresses = mkOption {
|
||||
headscaleIPs = mkOption {
|
||||
type = types.listOf types.string;
|
||||
default = [
|
||||
"100.64.7.0/24"
|
||||
"fd7a:115c:a1e0:77::/64"
|
||||
];
|
||||
};
|
||||
virtualHosts = mkOption {
|
||||
type = types.attrs;
|
||||
|
@ -108,6 +112,16 @@ with lib; {
|
|||
# generate with:
|
||||
# (echo '{' && tailscale status -json | jq -r '.Self,.Peer[] | .DNSName[:-17] + " = { A = \"" + .TailscaleIPs[0] + "\"; AAAA = \"" + .TailscaleIPs[1] + "\";};"' && echo '}') > common/tailscale.nix
|
||||
tailscale = import ./tailscale.nix;
|
||||
publicAliases = {
|
||||
hera = [
|
||||
"blog"
|
||||
"cloud"
|
||||
"git"
|
||||
"lists"
|
||||
"matrix"
|
||||
"rpg"
|
||||
];
|
||||
};
|
||||
aliases = {
|
||||
hera = [
|
||||
"alerts"
|
||||
|
|
|
@ -49,12 +49,6 @@ in {
|
|||
|
||||
m-0 = {
|
||||
virtualHosts = lib.genAttrs (hosts.aliases.${hostName} or []) (name: "${name}.maralorn.de");
|
||||
privateListenAddresses = [
|
||||
"127.0.0.1"
|
||||
"[::1]"
|
||||
"[${hosts.tailscale.${hostName}.AAAA}]"
|
||||
hosts.tailscale.${hostName}.A
|
||||
];
|
||||
};
|
||||
|
||||
security.acme = {
|
||||
|
@ -189,6 +183,16 @@ in {
|
|||
};
|
||||
};
|
||||
nginx = {
|
||||
virtualHosts =
|
||||
lib.genAttrs
|
||||
(map (name: "${name}.maralorn.de") (builtins.filter (name: !(builtins.elem name hosts.publicAliases.${hostName} or []))
|
||||
(hosts.aliases.${hostName} or []))) (_: {
|
||||
extraConfig = ''
|
||||
satisfy any;
|
||||
${lib.concatMapStringsSep "\n" (ip_range: "allow ${ip_range};") config.m-0.headscaleIPs}
|
||||
deny all;
|
||||
'';
|
||||
});
|
||||
statusPage = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedGzipSettings = true;
|
||||
|
|
|
@ -29,10 +29,7 @@ in {
|
|||
};
|
||||
logtail.enabled = false;
|
||||
metrics_listen_addr = "[::1]:9098";
|
||||
ip_prefixes = [
|
||||
"100.64.7.0/24"
|
||||
"fd7a:115c:a1e0:77::/64"
|
||||
];
|
||||
ip_prefixes = config.m-0.headscaleIPs;
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
@ -6,13 +6,6 @@
|
|||
commonOptions = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
extraConfig = ''
|
||||
satisfy any;
|
||||
allow ${config.m-0.prefix}::/64;
|
||||
allow ${config.m-0.hosts.tailscale.hera.AAAA}/64;
|
||||
allow ${config.m-0.hosts.tailscale.hera.A}/24;
|
||||
deny all;
|
||||
'';
|
||||
basicAuthFile = config.age.secrets."basic-auth/monitoring".path;
|
||||
};
|
||||
in {
|
||||
|
|
Loading…
Reference in a new issue