From b27d748e3083cc787aecc167da3cadec60bfe8ca Mon Sep 17 00:00:00 2001 From: James Eversole Date: Tue, 22 Apr 2025 13:40:41 -0500 Subject: [PATCH] Lock down services to LAN --- nix/application/containers.nix | 8 -------- nix/application/headscale.nix | 10 +++++----- nix/application/nginx.nix | 28 +++++++++++++++++----------- 3 files changed, 22 insertions(+), 24 deletions(-) diff --git a/nix/application/containers.nix b/nix/application/containers.nix index 31417b6..b178b66 100644 --- a/nix/application/containers.nix +++ b/nix/application/containers.nix @@ -1,13 +1,5 @@ { config, lib, pkgs, ... }: { - environment.etc."containers/containers.conf".text = lib.mkForce '' - [engine] - init_path = "${pkgs.catatonit}/bin/catatonit" - - [network] - network_backend = "cni" - cni_plugin_dirs = ["${pkgs.cni-plugins}/bin"] - ''; virtualisation.oci-containers = { containers = { diff --git a/nix/application/headscale.nix b/nix/application/headscale.nix index 524554d..2d17d43 100644 --- a/nix/application/headscale.nix +++ b/nix/application/headscale.nix @@ -4,7 +4,10 @@ address = "0.0.0.0"; port = 35893; settings = { - dns.base_domain = "vpn.matri.cx"; + dns = { + base_domain = "vpn.matri.cx"; + nameservers.global = ["192.168.0.130" "1.1.1.1"]; + }; logtail.enabled = false; noise.private_key_path = "/var/lib/headscale/noise_private.key"; server_url = "https://vpn.matri.cx:443"; @@ -12,11 +15,8 @@ }; services.tailscale = { enable = true; - extraSetFlags = [ - "--advertise-exit-node" - ]; extraUpFlags = [ - "--advertise-tags=tag:home-server" + "--accept-routes" "--advertise-exit-node" "--advertise-routes=192.168.0.0/24" "--login-server=https://vpn.matri.cx" ]; useRoutingFeatures = "both"; }; diff --git a/nix/application/nginx.nix b/nix/application/nginx.nix index 88fd144..700e5e3 100644 --- a/nix/application/nginx.nix +++ b/nix/application/nginx.nix @@ -33,20 +33,23 @@ }; }; - proxiedLAN = { target }: base { + proxiedLAN = { target, extra ? ""}: base { "/" = { proxyPass = target; - extraConfig = '' - allow 192.168.0.0/24; - deny all; - ''; + extraConfig = allowedLANAddrs + extra; }; }; + + allowedLANAddrs = '' + allow 127.0.0.1; + allow 192.168.0.0/24; + allow 100.64.0.0/24; + deny all; + ''; in { "default.host" = { default = true; root = "/var/www/default";}; "atuin.matri.cx" = proxied { target = "http://127.0.0.1:8888"; }; - "brohan.lol" = static { dir = "/var/www/brohan.lol"; }; "cache.matri.cx" = proxiedLAN { target = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}"; }; @@ -59,10 +62,13 @@ ''; }; "eversole.co" = proxied { target = "http://127.0.0.1:5196"; }; - "flux.matri.cx" = proxied { target = "http://127.0.0.1:26343"; }; + "flux.matri.cx" = proxiedLAN { target = "http://127.0.0.1:26343"; }; "git.eversole.co" = proxied { target = "http://127.0.0.1:8027"; }; - "graf.matri.cx" = { root = "/var/www/graf.matri.cx"; }; # refer to /monitoring/nginx.nix - "hydra.matri.cx" = proxied { + "graf.matri.cx" = { # refer to /monitoring/nginx.nix + root = "/var/www/graf.matri.cx"; + extraConfig = allowedLANAddrs; + }; + "hydra.matri.cx" = proxiedLAN { target = "http://127.0.0.1:3034"; extra = '' proxy_set_header X-Request-Base "https://hydra.matri.cx"; @@ -70,9 +76,9 @@ }; "jame.su" = static { dir = "/var/www/jame.su"; }; "matri.cx" = static { dir = "/var/www/matri.cx"; }; - "media.matri.cx" = proxied { target = "http://127.0.0.1:8096"; }; + "media.matri.cx" = proxiedLAN { target = "http://127.0.0.1:8096"; }; "purr.eversole.co" = proxied { target = "http://127.0.0.1:5195"; }; - "pw.eversole.co" = proxied { target = "http://127.0.0.1:40080"; }; + "pw.eversole.co" = proxiedLAN { target = "http://127.0.0.1:40080"; }; "sezycei.com" = static { dir = "/var/www/sezycei.com"; }; "snakebelmont.com" = static { dir = "/var/www/snakebelmont.com"; }; "transmission.matri.cx" = proxiedLAN { target = "http://127.0.0.1:9091"; };