Deny most hosts publicly
This commit is contained in:
parent
793045c73a
commit
5bddda9d31
4 changed files with 26 additions and 18 deletions
|
@ -69,8 +69,12 @@ with lib; {
|
||||||
});
|
});
|
||||||
default = [];
|
default = [];
|
||||||
};
|
};
|
||||||
privateListenAddresses = mkOption {
|
headscaleIPs = mkOption {
|
||||||
type = types.listOf types.string;
|
type = types.listOf types.string;
|
||||||
|
default = [
|
||||||
|
"100.64.7.0/24"
|
||||||
|
"fd7a:115c:a1e0:77::/64"
|
||||||
|
];
|
||||||
};
|
};
|
||||||
virtualHosts = mkOption {
|
virtualHosts = mkOption {
|
||||||
type = types.attrs;
|
type = types.attrs;
|
||||||
|
@ -108,6 +112,16 @@ with lib; {
|
||||||
# generate with:
|
# generate with:
|
||||||
# (echo '{' && tailscale status -json | jq -r '.Self,.Peer[] | .DNSName[:-17] + " = { A = \"" + .TailscaleIPs[0] + "\"; AAAA = \"" + .TailscaleIPs[1] + "\";};"' && echo '}') > common/tailscale.nix
|
# (echo '{' && tailscale status -json | jq -r '.Self,.Peer[] | .DNSName[:-17] + " = { A = \"" + .TailscaleIPs[0] + "\"; AAAA = \"" + .TailscaleIPs[1] + "\";};"' && echo '}') > common/tailscale.nix
|
||||||
tailscale = import ./tailscale.nix;
|
tailscale = import ./tailscale.nix;
|
||||||
|
publicAliases = {
|
||||||
|
hera = [
|
||||||
|
"blog"
|
||||||
|
"cloud"
|
||||||
|
"git"
|
||||||
|
"lists"
|
||||||
|
"matrix"
|
||||||
|
"rpg"
|
||||||
|
];
|
||||||
|
};
|
||||||
aliases = {
|
aliases = {
|
||||||
hera = [
|
hera = [
|
||||||
"alerts"
|
"alerts"
|
||||||
|
|
|
@ -49,12 +49,6 @@ in {
|
||||||
|
|
||||||
m-0 = {
|
m-0 = {
|
||||||
virtualHosts = lib.genAttrs (hosts.aliases.${hostName} or []) (name: "${name}.maralorn.de");
|
virtualHosts = lib.genAttrs (hosts.aliases.${hostName} or []) (name: "${name}.maralorn.de");
|
||||||
privateListenAddresses = [
|
|
||||||
"127.0.0.1"
|
|
||||||
"[::1]"
|
|
||||||
"[${hosts.tailscale.${hostName}.AAAA}]"
|
|
||||||
hosts.tailscale.${hostName}.A
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
|
|
||||||
security.acme = {
|
security.acme = {
|
||||||
|
@ -189,6 +183,16 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
nginx = {
|
nginx = {
|
||||||
|
virtualHosts =
|
||||||
|
lib.genAttrs
|
||||||
|
(map (name: "${name}.maralorn.de") (builtins.filter (name: !(builtins.elem name hosts.publicAliases.${hostName} or []))
|
||||||
|
(hosts.aliases.${hostName} or []))) (_: {
|
||||||
|
extraConfig = ''
|
||||||
|
satisfy any;
|
||||||
|
${lib.concatMapStringsSep "\n" (ip_range: "allow ${ip_range};") config.m-0.headscaleIPs}
|
||||||
|
deny all;
|
||||||
|
'';
|
||||||
|
});
|
||||||
statusPage = true;
|
statusPage = true;
|
||||||
recommendedOptimisation = true;
|
recommendedOptimisation = true;
|
||||||
recommendedGzipSettings = true;
|
recommendedGzipSettings = true;
|
||||||
|
|
|
@ -29,10 +29,7 @@ in {
|
||||||
};
|
};
|
||||||
logtail.enabled = false;
|
logtail.enabled = false;
|
||||||
metrics_listen_addr = "[::1]:9098";
|
metrics_listen_addr = "[::1]:9098";
|
||||||
ip_prefixes = [
|
ip_prefixes = config.m-0.headscaleIPs;
|
||||||
"100.64.7.0/24"
|
|
||||||
"fd7a:115c:a1e0:77::/64"
|
|
||||||
];
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -6,13 +6,6 @@
|
||||||
commonOptions = {
|
commonOptions = {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
extraConfig = ''
|
|
||||||
satisfy any;
|
|
||||||
allow ${config.m-0.prefix}::/64;
|
|
||||||
allow ${config.m-0.hosts.tailscale.hera.AAAA}/64;
|
|
||||||
allow ${config.m-0.hosts.tailscale.hera.A}/24;
|
|
||||||
deny all;
|
|
||||||
'';
|
|
||||||
basicAuthFile = config.age.secrets."basic-auth/monitoring".path;
|
basicAuthFile = config.age.secrets."basic-auth/monitoring".path;
|
||||||
};
|
};
|
||||||
in {
|
in {
|
||||||
|
|
Loading…
Reference in a new issue