refactor: use ip filtering instead of address binding

main
LeRoyce Pearson 2024-01-09 16:35:16 -07:00
parent fecaee1a83
commit f224052eca
1 changed files with 62 additions and 48 deletions

View File

@ -397,102 +397,116 @@
services.caddy = { services.caddy = {
enable = true; enable = true;
globalConfig = '' globalConfig = ''
# servers {
# protocols h1 h2
# }
email "fresh.car0178@geemili.xyz" email "fresh.car0178@geemili.xyz"
@connected_via_tailscale {
remote_ip 100.64.0.0/10
remote_ip fd7a:115c:a1e0::/48
}
''; '';
virtualHosts."lldap.samsehu.perli.casa".extraConfig = '' virtualHosts."lldap.samsehu.perli.casa".extraConfig = ''
bind 100.64.0.3 handle @connected_via_tailscale {
reverse_proxy localhost:17170 reverse_proxy localhost:17170
}
respond 403
''; '';
virtualHosts."headscale.samsehu.perli.casa".extraConfig = '' virtualHosts."headscale.samsehu.perli.casa".extraConfig = ''
bind 100.64.0.3 192.168.0.69
reverse_proxy localhost:64639 reverse_proxy localhost:64639
''; '';
virtualHosts."cockpit.samsehu.perli.casa".extraConfig = '' virtualHosts."cockpit.samsehu.perli.casa".extraConfig = ''
bind 100.64.0.3 handle @connected_via_tailscale {
reverse_proxy localhost:9090 reverse_proxy localhost:9090
}
respond 403
''; '';
virtualHosts."git.samsehu.perli.casa".extraConfig = '' virtualHosts."git.samsehu.perli.casa".extraConfig = ''
bind 100.64.0.3 192.168.0.69
reverse_proxy localhost:3000 reverse_proxy localhost:3000
''; '';
virtualHosts."jellyfin.samsehu.perli.casa".extraConfig = '' virtualHosts."jellyfin.samsehu.perli.casa".extraConfig = ''
bind 100.64.0.3 192.168.0.69
reverse_proxy localhost:8096 reverse_proxy localhost:8096
''; '';
virtualHosts."nextcloud.samsehu.perli.casa".extraConfig = '' virtualHosts."nextcloud.samsehu.perli.casa".extraConfig = ''
bind 100.64.0.3 handle @connected_via_tailscale {
# https://docs.nextcloud.com/server/27/admin_manual/issues/general_troubleshooting.html#service-discovery
redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
# https://docs.nextcloud.com/server/27/admin_manual/issues/general_troubleshooting.html#service-discovery root * ${config.services.nextcloud.package}
redir /.well-known/carddav /remote.php/dav 301 php_fastcgi unix/${config.services.phpfpm.pools.nextcloud.socket} {
redir /.well-known/caldav /remote.php/dav 301 root ${config.services.nextcloud.package}
capture_stderr
root * ${config.services.nextcloud.package} }
php_fastcgi unix/${config.services.phpfpm.pools.nextcloud.socket} { file_server
root ${config.services.nextcloud.package}
capture_stderr
} }
file_server respond 403
''; '';
virtualHosts."glauth.samsehu.perli.casa".extraConfig = '' virtualHosts."glauth.samsehu.perli.casa".extraConfig = ''
bind 100.64.0.3 handle @connected_via_tailscale {
reverse_proxy localhost:5555 reverse_proxy localhost:5555
}
respond 403
''; '';
virtualHosts."dex.samsehu.perli.casa".extraConfig = '' virtualHosts."dex.samsehu.perli.casa".extraConfig = ''
bind 100.64.0.3 handle @connected_via_tailscale {
reverse_proxy localhost:5556 reverse_proxy localhost:5556
}
respond 403
''; '';
virtualHosts."kavita.samsehu.perli.casa".extraConfig = '' virtualHosts."kavita.samsehu.perli.casa".extraConfig = ''
bind 100.64.0.3 192.168.0.69 handle @connected_via_tailscale {
reverse_proxy localhost:5000 reverse_proxy localhost:5000
}
respond 403
''; '';
virtualHosts."aria.samsehu.perli.casa".extraConfig = '' virtualHosts."aria.samsehu.perli.casa".extraConfig = ''
bind 100.64.0.3 handle @connected_via_tailscale {
handle /jsonrpc { handle /jsonrpc {
reverse_proxy localhost:6800 reverse_proxy localhost:6800
}
handle_path /ariang* {
root * ${pkgs.ariang}/share/ariang
file_server
}
redir / /ariang/#!/settings/rpc/set?protocol=wss&host=aria.samsehu.perli.casa&port=443&secret=YXJpYTJycGM=&interface=jsonrpc
} }
handle_path /ariang* { respond 403
root * ${pkgs.ariang}/share/ariang
file_server
}
redir / /ariang/#!/settings/rpc/set?protocol=wss&host=aria.samsehu.perli.casa&port=443&secret=YXJpYTJycGM=&interface=jsonrpc
''; '';
virtualHosts."lid.arr.samsehu.perli.casa".extraConfig = '' virtualHosts."lid.arr.samsehu.perli.casa".extraConfig = ''
bind 100.64.0.3 handle @connected_via_tailscale {
reverse_proxy localhost:8686 reverse_proxy localhost:8686
}
respond 403
''; '';
virtualHosts."rad.arr.samsehu.perli.casa".extraConfig = '' virtualHosts."rad.arr.samsehu.perli.casa".extraConfig = ''
bind 100.64.0.3 handle @connected_via_tailscale {
reverse_proxy localhost:7878 reverse_proxy localhost:7878
}
respond 403
''; '';
virtualHosts."read.arr.samsehu.perli.casa".extraConfig = '' virtualHosts."read.arr.samsehu.perli.casa".extraConfig = ''
bind 100.64.0.3 handle @connected_via_tailscale {
reverse_proxy localhost:8787 reverse_proxy localhost:8787
}
respond 403
''; '';
virtualHosts."son.arr.samsehu.perli.casa".extraConfig = '' virtualHosts."son.arr.samsehu.perli.casa".extraConfig = ''
bind 100.64.0.3 handle @connected_via_tailscale {
reverse_proxy localhost:8989 reverse_proxy localhost:8989
}
respond 403
''; '';
}; };
# patch the caddy service to wait for the tailscale interface before starting
systemd.services."caddy" = {
requires = [ "tailscaled.service" ];
bindsTo = [ "sys-subsystem-net-devices-tailscale0.device" "sys-subsystem-net-devices-enp3s0.device" ];
after = [ "sys-subsystem-net-devices-tailscale0.device" "sys-subsystem-net-devices-enp3s0.device" "tailscaled.service" ];
};
# Headscale for access to the network while away from home # Headscale for access to the network while away from home
services.headscale = { services.headscale = {