bryan/nixos
0
0
Fork 0
mirror of https://github.com/itme-brain/nixos.git synced 2026-05-08 14:50:12 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(server): restrict private services to LAN and WireGuard CIDRs

Browse source
This commit is contained in:
Bryan Ramos 2026-04-12 20:37:31 -04:00
parent b58906f0e5
commit 2bab2759e6
5 changed files with 31 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
system/machines/server/modules/sandpack/default.nix
View file

@ -4,6 +4,7 @@ with lib;
let
cfg = config.modules.system.sandpack;
domain = "ramos.codes";
privateAccessRules = concatMapStringsSep "\n" (cidr: "allow ${cidr};") config.modules.system.nginx.privateAllowCidrs + "\ndeny all;";
staticBrowserServer = pkgs.stdenvNoCC.mkDerivation (finalAttrs: let
pnpm = pkgs.pnpm_10;
@ -97,6 +98,8 @@ in
locations."/" = {
proxyPass = "http://127.0.0.1:4333";
extraConfig = ''
${privateAccessRules}
add_header Access-Control-Allow-Origin "*" always;
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
add_header Access-Control-Allow-Headers "Content-Type, Authorization" always;
@ -116,6 +119,8 @@ in
locations."/" = {
proxyPass = "http://127.0.0.1:4324";
extraConfig = ''
${privateAccessRules}
add_header Access-Control-Allow-Origin "*" always;
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
add_header Access-Control-Allow-Headers "Content-Type, Authorization" always;