Lock down services to LAN

nix/application/containers.nix

@@ -1,13 +1,5 @@
 { config, lib, pkgs, ... }:
 {
-  environment.etc."containers/containers.conf".text = lib.mkForce ''
-    [engine]
-    init_path = "${pkgs.catatonit}/bin/catatonit"
-
-    [network]
-    network_backend = "cni"
-    cni_plugin_dirs = ["${pkgs.cni-plugins}/bin"]
-  '';
   virtualisation.oci-containers = {
     containers = {
 

nix/application/headscale.nix

@@ -4,7 +4,10 @@
     address = "0.0.0.0";
     port = 35893;
     settings = { 
-      dns.base_domain = "vpn.matri.cx";
+      dns = {
+        base_domain = "vpn.matri.cx";
+        nameservers.global = ["192.168.0.130" "1.1.1.1"];
+      };
       logtail.enabled = false; 
       noise.private_key_path = "/var/lib/headscale/noise_private.key";
       server_url = "https://vpn.matri.cx:443";
@@ -12,11 +15,8 @@
   };
   services.tailscale = {
     enable = true;
-    extraSetFlags = [
-      "--advertise-exit-node"
-    ];
     extraUpFlags = [
-      "--advertise-tags=tag:home-server"
+      "--accept-routes" "--advertise-exit-node" "--advertise-routes=192.168.0.0/24" "--login-server=https://vpn.matri.cx"
     ];
     useRoutingFeatures = "both";
   };

nix/application/nginx.nix

@@ -33,20 +33,23 @@
           };
         };
 
-        proxiedLAN = { target }: base {
+        proxiedLAN = { target, extra ? ""}: base {
           "/" = {
             proxyPass = target;
-            extraConfig = ''
+            extraConfig = allowedLANAddrs + extra;
-              allow 192.168.0.0/24;
-              deny all;
-            '';
           };
         };
+
+        allowedLANAddrs = ''
+          allow 127.0.0.1;
+          allow 192.168.0.0/24;
+          allow 100.64.0.0/24;
+          deny all;
+        '';
       in
       {
         "default.host" = { default = true; root = "/var/www/default";};
         "atuin.matri.cx" = proxied { target = "http://127.0.0.1:8888"; };
-        "brohan.lol" = static { dir = "/var/www/brohan.lol"; };
         "cache.matri.cx" = proxiedLAN {
           target = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
         };
@@ -59,10 +62,13 @@
           '';
         };
         "eversole.co" = proxied { target = "http://127.0.0.1:5196"; };
-        "flux.matri.cx" = proxied { target = "http://127.0.0.1:26343"; };
+        "flux.matri.cx" = proxiedLAN { target = "http://127.0.0.1:26343"; };
         "git.eversole.co" = proxied { target = "http://127.0.0.1:8027"; };
-        "graf.matri.cx" = { root = "/var/www/graf.matri.cx"; }; # refer to /monitoring/nginx.nix
+        "graf.matri.cx" = { # refer to /monitoring/nginx.nix
-        "hydra.matri.cx" = proxied {
+          root = "/var/www/graf.matri.cx";
+          extraConfig = allowedLANAddrs;
+        };
+        "hydra.matri.cx" = proxiedLAN {
           target = "http://127.0.0.1:3034";
           extra = ''
             proxy_set_header X-Request-Base "https://hydra.matri.cx";
@@ -70,9 +76,9 @@
         };
         "jame.su" = static { dir = "/var/www/jame.su"; };
         "matri.cx" = static { dir = "/var/www/matri.cx"; };
-        "media.matri.cx" = proxied { target = "http://127.0.0.1:8096"; };
+        "media.matri.cx" = proxiedLAN { target = "http://127.0.0.1:8096"; };
         "purr.eversole.co" = proxied { target = "http://127.0.0.1:5195"; };
-        "pw.eversole.co" = proxied { target = "http://127.0.0.1:40080"; };
+        "pw.eversole.co" = proxiedLAN { target = "http://127.0.0.1:40080"; };
         "sezycei.com" = static { dir = "/var/www/sezycei.com"; };
         "snakebelmont.com" = static { dir = "/var/www/snakebelmont.com"; };
         "transmission.matri.cx" = proxiedLAN { target = "http://127.0.0.1:9091"; };