From 2bab2759e6554bcc9d5c1ee361f97bb739976e6a Mon Sep 17 00:00:00 2001 From: Bryan Ramos Date: Sun, 12 Apr 2026 20:37:31 -0400 Subject: [PATCH] feat(server): restrict private services to LAN and WireGuard CIDRs --- .../machines/server/modules/frigate/default.nix | 5 +++++ .../machines/server/modules/immich/default.nix | 2 ++ system/machines/server/modules/nginx/default.nix | 16 ++++++++++++++++ .../machines/server/modules/sandpack/default.nix | 5 +++++ .../machines/server/modules/webdav/default.nix | 3 +++ 5 files changed, 31 insertions(+) diff --git a/system/machines/server/modules/frigate/default.nix b/system/machines/server/modules/frigate/default.nix index e067de0..402cfcc 100644 --- a/system/machines/server/modules/frigate/default.nix +++ b/system/machines/server/modules/frigate/default.nix @@ -7,6 +7,7 @@ let domain = "ramos.codes"; user = config.sops.placeholder."RTSP_USER"; pass = config.sops.placeholder."RTSP_PASS"; + privateAccessRules = concatMapStringsSep "\n" (cidr: "allow ${cidr};") nginx.privateAllowCidrs + "\ndeny all;"; in { @@ -239,9 +240,13 @@ in services.nginx.virtualHosts."frigate.${domain}" = mkIf nginx.enable { useACMEHost = domain; forceSSL = true; + locations."/" = { + extraConfig = privateAccessRules; + }; locations."/go2rtc/" = { proxyPass = "http://127.0.0.1:1984/"; proxyWebsockets = true; + extraConfig = privateAccessRules; }; }; diff --git a/system/machines/server/modules/immich/default.nix b/system/machines/server/modules/immich/default.nix index 031336d..f38e079 100644 --- a/system/machines/server/modules/immich/default.nix +++ b/system/machines/server/modules/immich/default.nix @@ -6,6 +6,7 @@ let nginx = config.modules.system.nginx; domain = "ramos.codes"; port = 2283; + privateAccessRules = concatMapStringsSep "\n" (cidr: "allow ${cidr};") nginx.privateAllowCidrs + "\ndeny all;"; in { @@ -51,6 +52,7 @@ in locations."/" = { proxyPass = "http://127.0.0.1:${toString port}"; proxyWebsockets = true; + extraConfig = privateAccessRules; }; }; }; diff --git a/system/machines/server/modules/nginx/default.nix b/system/machines/server/modules/nginx/default.nix index 44ad00f..ca93de7 100644 --- a/system/machines/server/modules/nginx/default.nix +++ b/system/machines/server/modules/nginx/default.nix @@ -4,11 +4,24 @@ with lib; let cfg = config.modules.system.nginx; domain = "ramos.codes"; + privateAccessRules = concatMapStringsSep "\n" (cidr: "allow ${cidr};") cfg.privateAllowCidrs + "\ndeny all;"; in { options.modules.system.nginx = { enable = mkEnableOption "Nginx Reverse Proxy"; + + privateAllowCidrs = mkOption { + type = types.listOf types.str; + default = [ + "127.0.0.1/32" + "192.168.0.0/24" + "10.8.0.0/24" + ]; + description = '' + CIDR ranges allowed to access private vhosts (LAN + WireGuard). + ''; + }; }; config = mkIf cfg.enable { @@ -78,6 +91,7 @@ in locations."/" = { proxyPass = "http://192.168.0.23:3080"; proxyWebsockets = true; + extraConfig = privateAccessRules; }; }; @@ -87,6 +101,7 @@ in locations."/" = { proxyPass = "http://192.168.0.23:8000"; proxyWebsockets = true; + extraConfig = privateAccessRules; }; }; @@ -96,6 +111,7 @@ in locations."/" = { proxyPass = "http://192.168.0.23:8188"; proxyWebsockets = true; + extraConfig = privateAccessRules; }; }; }; diff --git a/system/machines/server/modules/sandpack/default.nix b/system/machines/server/modules/sandpack/default.nix index e4e5a9c..d8b46a1 100644 --- a/system/machines/server/modules/sandpack/default.nix +++ b/system/machines/server/modules/sandpack/default.nix @@ -4,6 +4,7 @@ with lib; let cfg = config.modules.system.sandpack; domain = "ramos.codes"; + privateAccessRules = concatMapStringsSep "\n" (cidr: "allow ${cidr};") config.modules.system.nginx.privateAllowCidrs + "\ndeny all;"; staticBrowserServer = pkgs.stdenvNoCC.mkDerivation (finalAttrs: let pnpm = pkgs.pnpm_10; @@ -97,6 +98,8 @@ in locations."/" = { proxyPass = "http://127.0.0.1:4333"; extraConfig = '' + ${privateAccessRules} + add_header Access-Control-Allow-Origin "*" always; add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always; add_header Access-Control-Allow-Headers "Content-Type, Authorization" always; @@ -116,6 +119,8 @@ in locations."/" = { proxyPass = "http://127.0.0.1:4324"; extraConfig = '' + ${privateAccessRules} + add_header Access-Control-Allow-Origin "*" always; add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always; add_header Access-Control-Allow-Headers "Content-Type, Authorization" always; diff --git a/system/machines/server/modules/webdav/default.nix b/system/machines/server/modules/webdav/default.nix index 1b90573..1eb5684 100644 --- a/system/machines/server/modules/webdav/default.nix +++ b/system/machines/server/modules/webdav/default.nix @@ -4,6 +4,7 @@ with lib; let cfg = config.modules.system.webdav; domain = "ramos.codes"; + privateAccessRules = concatMapStringsSep "\n" (cidr: "allow ${cidr};") config.modules.system.nginx.privateAllowCidrs + "\ndeny all;"; in { @@ -50,6 +51,8 @@ in locations."/" = { proxyPass = "http://127.0.0.1:8090"; extraConfig = '' + ${privateAccessRules} + proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;