refactor: use ip filtering instead of address binding

2024-01-09 16:35:16 -07:00 · 2024-01-09 16:35:16 -07:00 · f224052eca
parent fecaee1a83
commit f224052eca
1 changed files with 62 additions and 48 deletions
--- a/configuration.nix
+++ b/configuration.nix
@ -397,102 +397,116 @@
  services.caddy = {
    enable = true;
    globalConfig = ''
-      # servers {
-      #   protocols h1 h2
-      # }
      email "fresh.car0178@geemili.xyz"
+
+      @connected_via_tailscale {
+        remote_ip 100.64.0.0/10
+        remote_ip fd7a:115c:a1e0::/48
+      }
    '';

    virtualHosts."lldap.samsehu.perli.casa".extraConfig = ''
-      bind 100.64.0.3
-      reverse_proxy localhost:17170
+      handle @connected_via_tailscale {
+        reverse_proxy localhost:17170
+      }
+      respond 403
    '';

    virtualHosts."headscale.samsehu.perli.casa".extraConfig = ''
-      bind 100.64.0.3 192.168.0.69
      reverse_proxy localhost:64639
    '';

    virtualHosts."cockpit.samsehu.perli.casa".extraConfig = ''
-      bind 100.64.0.3
-      reverse_proxy localhost:9090
+      handle @connected_via_tailscale {
+        reverse_proxy localhost:9090
+      }
+      respond 403
    '';

    virtualHosts."git.samsehu.perli.casa".extraConfig = ''
-      bind 100.64.0.3 192.168.0.69
      reverse_proxy localhost:3000
    '';

    virtualHosts."jellyfin.samsehu.perli.casa".extraConfig = ''
-      bind 100.64.0.3 192.168.0.69
      reverse_proxy localhost:8096
    '';

    virtualHosts."nextcloud.samsehu.perli.casa".extraConfig = ''
-      bind 100.64.0.3
+      handle @connected_via_tailscale {
+        # https://docs.nextcloud.com/server/27/admin_manual/issues/general_troubleshooting.html#service-discovery
+        redir /.well-known/carddav /remote.php/dav 301
+        redir /.well-known/caldav /remote.php/dav 301

-      # https://docs.nextcloud.com/server/27/admin_manual/issues/general_troubleshooting.html#service-discovery
-      redir /.well-known/carddav /remote.php/dav 301
-      redir /.well-known/caldav /remote.php/dav 301
-
-      root * ${config.services.nextcloud.package}
-      php_fastcgi unix/${config.services.phpfpm.pools.nextcloud.socket} {
-        root ${config.services.nextcloud.package}
-        capture_stderr
+        root * ${config.services.nextcloud.package}
+        php_fastcgi unix/${config.services.phpfpm.pools.nextcloud.socket} {
+          root ${config.services.nextcloud.package}
+          capture_stderr
+        }
+        file_server
      }
-      file_server
+      respond 403
    '';

    virtualHosts."glauth.samsehu.perli.casa".extraConfig = ''
-      bind 100.64.0.3
-      reverse_proxy localhost:5555
+      handle @connected_via_tailscale {
+        reverse_proxy localhost:5555
+      }
+      respond 403
    '';

    virtualHosts."dex.samsehu.perli.casa".extraConfig = ''
-      bind 100.64.0.3
-      reverse_proxy localhost:5556
+      handle @connected_via_tailscale {
+        reverse_proxy localhost:5556
+      }
+      respond 403
    '';

    virtualHosts."kavita.samsehu.perli.casa".extraConfig = ''
-      bind 100.64.0.3 192.168.0.69
-      reverse_proxy localhost:5000
+      handle @connected_via_tailscale {
+        reverse_proxy localhost:5000
+      }
+      respond 403
    '';
 
    virtualHosts."aria.samsehu.perli.casa".extraConfig = ''
-      bind 100.64.0.3
-      handle /jsonrpc {
-        reverse_proxy localhost:6800 
+      handle @connected_via_tailscale {
+        handle /jsonrpc {
+          reverse_proxy localhost:6800
+        }
+        handle_path /ariang* {
+          root * ${pkgs.ariang}/share/ariang
+          file_server
+        }
+        redir / /ariang/#!/settings/rpc/set?protocol=wss&host=aria.samsehu.perli.casa&port=443&secret=YXJpYTJycGM=&interface=jsonrpc
      }
-      handle_path /ariang* {
-        root * ${pkgs.ariang}/share/ariang
-        file_server
-      }
-      redir / /ariang/#!/settings/rpc/set?protocol=wss&host=aria.samsehu.perli.casa&port=443&secret=YXJpYTJycGM=&interface=jsonrpc
+      respond 403
    '';

    virtualHosts."lid.arr.samsehu.perli.casa".extraConfig = ''
-      bind 100.64.0.3 
-      reverse_proxy localhost:8686
+      handle @connected_via_tailscale {
+        reverse_proxy localhost:8686
+      }
+      respond 403
    '';
    virtualHosts."rad.arr.samsehu.perli.casa".extraConfig = ''
-      bind 100.64.0.3 
-      reverse_proxy localhost:7878
+      handle @connected_via_tailscale {
+        reverse_proxy localhost:7878
+      }
+      respond 403
    '';
    virtualHosts."read.arr.samsehu.perli.casa".extraConfig = ''
-      bind 100.64.0.3 
-      reverse_proxy localhost:8787
+      handle @connected_via_tailscale {
+        reverse_proxy localhost:8787
+      }
+      respond 403
    '';
    virtualHosts."son.arr.samsehu.perli.casa".extraConfig = ''
-      bind 100.64.0.3 
-      reverse_proxy localhost:8989 
+      handle @connected_via_tailscale {
+        reverse_proxy localhost:8989
+      }
+      respond 403
    '';
  };
-  # patch the caddy service to wait for the tailscale interface before starting
-  systemd.services."caddy" = {
-    requires = [ "tailscaled.service" ];
-    bindsTo = [ "sys-subsystem-net-devices-tailscale0.device" "sys-subsystem-net-devices-enp3s0.device" ];
-    after = [ "sys-subsystem-net-devices-tailscale0.device" "sys-subsystem-net-devices-enp3s0.device" "tailscaled.service" ];
-  };

  # Headscale for access to the network while away from home
  services.headscale = {