bryan/nixos
0
0
Fork 0
mirror of https://github.com/itme-brain/nixos.git synced 2026-05-08 06:50:11 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(server): restrict private services to LAN and WireGuard CIDRs

Browse source
This commit is contained in:
Bryan Ramos 2026-04-12 20:37:31 -04:00
parent b58906f0e5
commit 2bab2759e6
5 changed files with 31 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
system/machines/server/modules/frigate/default.nix
View file

@ -7,6 +7,7 @@ let
domain = "ramos.codes"; domain = "ramos.codes";
user = config.sops.placeholder."RTSP_USER"; user = config.sops.placeholder."RTSP_USER";
pass = config.sops.placeholder."RTSP_PASS"; pass = config.sops.placeholder."RTSP_PASS";
privateAccessRules = concatMapStringsSep "\n" (cidr: "allow ${cidr};") nginx.privateAllowCidrs + "\ndeny all;";
in in
{ {
@ -239,9 +240,13 @@ in
services.nginx.virtualHosts."frigate.${domain}" = mkIf nginx.enable { services.nginx.virtualHosts."frigate.${domain}" = mkIf nginx.enable {
useACMEHost = domain; useACMEHost = domain;
forceSSL = true; forceSSL = true;
locations."/" = {
extraConfig = privateAccessRules;
};
locations."/go2rtc/" = { locations."/go2rtc/" = {
proxyPass = "http://127.0.0.1:1984/"; proxyPass = "http://127.0.0.1:1984/";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = privateAccessRules;
}; };
}; };

2
system/machines/server/modules/immich/default.nix
View file

@ -6,6 +6,7 @@ let
nginx = config.modules.system.nginx; nginx = config.modules.system.nginx;
domain = "ramos.codes"; domain = "ramos.codes";
port = 2283; port = 2283;
privateAccessRules = concatMapStringsSep "\n" (cidr: "allow ${cidr};") nginx.privateAllowCidrs + "\ndeny all;";
in in
{ {
@ -51,6 +52,7 @@ in
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${toString port}"; proxyPass = "http://127.0.0.1:${toString port}";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = privateAccessRules;
}; };
}; };
}; };

16
system/machines/server/modules/nginx/default.nix
View file

@ -4,11 +4,24 @@ with lib;
let let
cfg = config.modules.system.nginx; cfg = config.modules.system.nginx;
domain = "ramos.codes"; domain = "ramos.codes";
privateAccessRules = concatMapStringsSep "\n" (cidr: "allow ${cidr};") cfg.privateAllowCidrs + "\ndeny all;";
in in
{ {
options.modules.system.nginx = { options.modules.system.nginx = {
enable = mkEnableOption "Nginx Reverse Proxy"; enable = mkEnableOption "Nginx Reverse Proxy";
privateAllowCidrs = mkOption {
type = types.listOf types.str;
default = [
"127.0.0.1/32"
"192.168.0.0/24"
"10.8.0.0/24"
];
description = ''
CIDR ranges allowed to access private vhosts (LAN + WireGuard).
'';
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
@ -78,6 +91,7 @@ in
locations."/" = { locations."/" = {
proxyPass = "http://192.168.0.23:3080"; proxyPass = "http://192.168.0.23:3080";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = privateAccessRules;
}; };
}; };
@ -87,6 +101,7 @@ in
locations."/" = { locations."/" = {
proxyPass = "http://192.168.0.23:8000"; proxyPass = "http://192.168.0.23:8000";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = privateAccessRules;
}; };
}; };
@ -96,6 +111,7 @@ in
locations."/" = { locations."/" = {
proxyPass = "http://192.168.0.23:8188"; proxyPass = "http://192.168.0.23:8188";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = privateAccessRules;
}; };
}; };
}; };

5
system/machines/server/modules/sandpack/default.nix
View file

@ -4,6 +4,7 @@ with lib;
let let
cfg = config.modules.system.sandpack; cfg = config.modules.system.sandpack;
domain = "ramos.codes"; domain = "ramos.codes";
privateAccessRules = concatMapStringsSep "\n" (cidr: "allow ${cidr};") config.modules.system.nginx.privateAllowCidrs + "\ndeny all;";
staticBrowserServer = pkgs.stdenvNoCC.mkDerivation (finalAttrs: let staticBrowserServer = pkgs.stdenvNoCC.mkDerivation (finalAttrs: let
pnpm = pkgs.pnpm_10; pnpm = pkgs.pnpm_10;
@ -97,6 +98,8 @@ in
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:4333"; proxyPass = "http://127.0.0.1:4333";
extraConfig = '' extraConfig = ''
${privateAccessRules}
add_header Access-Control-Allow-Origin "*" always; add_header Access-Control-Allow-Origin "*" always;
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always; add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
add_header Access-Control-Allow-Headers "Content-Type, Authorization" always; add_header Access-Control-Allow-Headers "Content-Type, Authorization" always;
@ -116,6 +119,8 @@ in
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:4324"; proxyPass = "http://127.0.0.1:4324";
extraConfig = '' extraConfig = ''
${privateAccessRules}
add_header Access-Control-Allow-Origin "*" always; add_header Access-Control-Allow-Origin "*" always;
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always; add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
add_header Access-Control-Allow-Headers "Content-Type, Authorization" always; add_header Access-Control-Allow-Headers "Content-Type, Authorization" always;

3
system/machines/server/modules/webdav/default.nix
View file

@ -4,6 +4,7 @@ with lib;
let let
cfg = config.modules.system.webdav; cfg = config.modules.system.webdav;
domain = "ramos.codes"; domain = "ramos.codes";
privateAccessRules = concatMapStringsSep "\n" (cidr: "allow ${cidr};") config.modules.system.nginx.privateAllowCidrs + "\ndeny all;";
in in
{ {
@ -50,6 +51,8 @@ in
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:8090"; proxyPass = "http://127.0.0.1:8090";
extraConfig = '' extraConfig = ''
${privateAccessRules}
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;