bryan/nixos
0
0
Fork 0
mirror of https://github.com/itme-brain/nixos.git synced 2026-05-08 14:50:12 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(server): restrict private services to LAN and WireGuard CIDRs

Browse source
This commit is contained in:
Bryan Ramos 2026-04-12 20:37:31 -04:00
parent b58906f0e5
commit 2bab2759e6
5 changed files with 31 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

16
system/machines/server/modules/nginx/default.nix
View file

@ -4,11 +4,24 @@ with lib;
let
cfg = config.modules.system.nginx;
domain = "ramos.codes";
privateAccessRules = concatMapStringsSep "\n" (cidr: "allow ${cidr};") cfg.privateAllowCidrs + "\ndeny all;";
in
{
options.modules.system.nginx = {
enable = mkEnableOption "Nginx Reverse Proxy";
privateAllowCidrs = mkOption {
type = types.listOf types.str;
default = [
"127.0.0.1/32"
"192.168.0.0/24"
"10.8.0.0/24"
];
description = ''
CIDR ranges allowed to access private vhosts (LAN + WireGuard).
'';
};
};
config = mkIf cfg.enable {
@ -78,6 +91,7 @@ in
locations."/" = {
proxyPass = "http://192.168.0.23:3080";
proxyWebsockets = true;
extraConfig = privateAccessRules;
};
};
@ -87,6 +101,7 @@ in
locations."/" = {
proxyPass = "http://192.168.0.23:8000";
proxyWebsockets = true;
extraConfig = privateAccessRules;
};
};
@ -96,6 +111,7 @@ in
locations."/" = {
proxyPass = "http://192.168.0.23:8188";
proxyWebsockets = true;
extraConfig = privateAccessRules;
};
};
};