refactor: use ip filtering instead of address binding
parent
fecaee1a83
commit
f224052eca
|
@ -397,40 +397,42 @@
|
|||
services.caddy = {
|
||||
enable = true;
|
||||
globalConfig = ''
|
||||
# servers {
|
||||
# protocols h1 h2
|
||||
# }
|
||||
email "fresh.car0178@geemili.xyz"
|
||||
|
||||
@connected_via_tailscale {
|
||||
remote_ip 100.64.0.0/10
|
||||
remote_ip fd7a:115c:a1e0::/48
|
||||
}
|
||||
'';
|
||||
|
||||
virtualHosts."lldap.samsehu.perli.casa".extraConfig = ''
|
||||
bind 100.64.0.3
|
||||
handle @connected_via_tailscale {
|
||||
reverse_proxy localhost:17170
|
||||
}
|
||||
respond 403
|
||||
'';
|
||||
|
||||
virtualHosts."headscale.samsehu.perli.casa".extraConfig = ''
|
||||
bind 100.64.0.3 192.168.0.69
|
||||
reverse_proxy localhost:64639
|
||||
'';
|
||||
|
||||
virtualHosts."cockpit.samsehu.perli.casa".extraConfig = ''
|
||||
bind 100.64.0.3
|
||||
handle @connected_via_tailscale {
|
||||
reverse_proxy localhost:9090
|
||||
}
|
||||
respond 403
|
||||
'';
|
||||
|
||||
virtualHosts."git.samsehu.perli.casa".extraConfig = ''
|
||||
bind 100.64.0.3 192.168.0.69
|
||||
reverse_proxy localhost:3000
|
||||
'';
|
||||
|
||||
virtualHosts."jellyfin.samsehu.perli.casa".extraConfig = ''
|
||||
bind 100.64.0.3 192.168.0.69
|
||||
reverse_proxy localhost:8096
|
||||
'';
|
||||
|
||||
virtualHosts."nextcloud.samsehu.perli.casa".extraConfig = ''
|
||||
bind 100.64.0.3
|
||||
|
||||
handle @connected_via_tailscale {
|
||||
# https://docs.nextcloud.com/server/27/admin_manual/issues/general_troubleshooting.html#service-discovery
|
||||
redir /.well-known/carddav /remote.php/dav 301
|
||||
redir /.well-known/caldav /remote.php/dav 301
|
||||
|
@ -441,25 +443,33 @@
|
|||
capture_stderr
|
||||
}
|
||||
file_server
|
||||
}
|
||||
respond 403
|
||||
'';
|
||||
|
||||
virtualHosts."glauth.samsehu.perli.casa".extraConfig = ''
|
||||
bind 100.64.0.3
|
||||
handle @connected_via_tailscale {
|
||||
reverse_proxy localhost:5555
|
||||
}
|
||||
respond 403
|
||||
'';
|
||||
|
||||
virtualHosts."dex.samsehu.perli.casa".extraConfig = ''
|
||||
bind 100.64.0.3
|
||||
handle @connected_via_tailscale {
|
||||
reverse_proxy localhost:5556
|
||||
}
|
||||
respond 403
|
||||
'';
|
||||
|
||||
virtualHosts."kavita.samsehu.perli.casa".extraConfig = ''
|
||||
bind 100.64.0.3 192.168.0.69
|
||||
handle @connected_via_tailscale {
|
||||
reverse_proxy localhost:5000
|
||||
}
|
||||
respond 403
|
||||
'';
|
||||
|
||||
virtualHosts."aria.samsehu.perli.casa".extraConfig = ''
|
||||
bind 100.64.0.3
|
||||
handle @connected_via_tailscale {
|
||||
handle /jsonrpc {
|
||||
reverse_proxy localhost:6800
|
||||
}
|
||||
|
@ -468,31 +478,35 @@
|
|||
file_server
|
||||
}
|
||||
redir / /ariang/#!/settings/rpc/set?protocol=wss&host=aria.samsehu.perli.casa&port=443&secret=YXJpYTJycGM=&interface=jsonrpc
|
||||
}
|
||||
respond 403
|
||||
'';
|
||||
|
||||
virtualHosts."lid.arr.samsehu.perli.casa".extraConfig = ''
|
||||
bind 100.64.0.3
|
||||
handle @connected_via_tailscale {
|
||||
reverse_proxy localhost:8686
|
||||
}
|
||||
respond 403
|
||||
'';
|
||||
virtualHosts."rad.arr.samsehu.perli.casa".extraConfig = ''
|
||||
bind 100.64.0.3
|
||||
handle @connected_via_tailscale {
|
||||
reverse_proxy localhost:7878
|
||||
}
|
||||
respond 403
|
||||
'';
|
||||
virtualHosts."read.arr.samsehu.perli.casa".extraConfig = ''
|
||||
bind 100.64.0.3
|
||||
handle @connected_via_tailscale {
|
||||
reverse_proxy localhost:8787
|
||||
}
|
||||
respond 403
|
||||
'';
|
||||
virtualHosts."son.arr.samsehu.perli.casa".extraConfig = ''
|
||||
bind 100.64.0.3
|
||||
handle @connected_via_tailscale {
|
||||
reverse_proxy localhost:8989
|
||||
}
|
||||
respond 403
|
||||
'';
|
||||
};
|
||||
# patch the caddy service to wait for the tailscale interface before starting
|
||||
systemd.services."caddy" = {
|
||||
requires = [ "tailscaled.service" ];
|
||||
bindsTo = [ "sys-subsystem-net-devices-tailscale0.device" "sys-subsystem-net-devices-enp3s0.device" ];
|
||||
after = [ "sys-subsystem-net-devices-tailscale0.device" "sys-subsystem-net-devices-enp3s0.device" "tailscaled.service" ];
|
||||
};
|
||||
|
||||
# Headscale for access to the network while away from home
|
||||
services.headscale = {
|
||||
|
|
Loading…
Reference in New Issue