fix(server): remove sslh and enforce direct nginx client IP filtering

2026-05-08 14:50:12 -04:00 · 2026-04-12 21:23:34 -04:00 · 2026-04-12 21:23:34 -04:00 · b8bd062859
commit b8bd062859
parent de3dd664e2
1 changed files with 0 additions and 14 deletions
--- a/system/machines/server/modules/nginx/default.nix
+++ b/system/machines/server/modules/nginx/default.nix
@ -14,7 +14,6 @@ in
    privateAllowCidrs = mkOption {
      type = types.listOf types.str;
      default = [
-        "127.0.0.1/32"
        "192.168.0.0/24"
        "10.8.0.0/24"
      ];
@ -41,25 +40,12 @@ in
      };
    };

-    services.sslh = {
-      enable = true;
-      listenAddresses = [ "0.0.0.0" ];
-      port = 443;
-      settings = {
-        protocols = [
-          { name = "ssh"; host = "127.0.0.1"; port = "22"; }
-          { name = "tls"; host = "127.0.0.1"; port = "4443"; }
-        ];
-      };
-    };
-
    services.nginx = {
      enable = true;
      recommendedTlsSettings = true;
      recommendedOptimisation = true;
      recommendedGzipSettings = true;
      eventsConfig = "worker_connections 4096;";
-      defaultSSLListenPort = 4443;

      # Catch-all default - friendly error for unknown subdomains
      virtualHosts."_" = {