From 7918ebd7ea2c81cd6eabbb135b1e03e44d76f56d Mon Sep 17 00:00:00 2001
From: Felix Albrigtsen <felix@albrigtsen.it>
Date: Wed, 8 Apr 2026 22:00:20 +0200
Subject: [PATCH] defiant/nginx: ip allowlist on nextcloud

---
 hosts/defiant/services/nginx.nix | 35 ++++++++++++++++++++++++++++++--
 1 file changed, 33 insertions(+), 2 deletions(-)

diff --git a/hosts/defiant/services/nginx.nix b/hosts/defiant/services/nginx.nix
index 5a9c88e..7cbc150 100644
--- a/hosts/defiant/services/nginx.nix
+++ b/hosts/defiant/services/nginx.nix
@@ -35,7 +35,7 @@ in {
   #   dnsProvider = "domeneshop";
   #   environmentFile = config.sops.secrets."domeneshop/acme".path;
   #   webroot = null;
-  # }
+  # };
   sops.secrets."domeneshop/acme" = {
     group = "nginx";
   };
@@ -63,15 +63,40 @@ in {
       '';
     } // overrides;
   in {
-    "amalie.mansaker.no" = publicProxy "http://leonard.home.feal.no/" { };
     "cloud.feal.no" = publicProxy "" {
+      listen = [
+        { addr = "192.168.10.175"; port = 43443; ssl = true; }
+        { addr = "192.168.10.175"; port = 43080; ssl = false; }
+        # Note: cloud.feal.no is overriden in the local DNS, to allow use through Wireguard VPN
+        { addr = "192.168.10.175"; port =   443; ssl = true; }
+        { addr = "192.168.10.175"; port =    80; ssl = false; }
+      ];
       locations."/" = {
         proxyPass = "http://challenger.home.feal.no";
         extraConfig = ''
           client_max_body_size 8G;
         '';
       };
+      extraConfig = ''
+          # Direct local traffic and NAT Hairpin
+          allow 192.168.10.0/24;
+
+          # Wireguard
+          allow 10.100.0.0/24;
+
+          # AS16185
+          allow 82.146.64.0/19;
+          allow 217.31.96.0/20;
+          allow 185.166.44.0/22;
+
+          # NTNU
+          allow 129.241.0.0/16;
+
+          deny all;
+      '';
     };
+
+    "amalie.mansaker.no" = publicProxy "http://leonard.home.feal.no/" { };
     "feal.no" = publicProxy "http://leonard.home.feal.no/" { serverAliases = [ "www.feal.no" ]; };
     "git.feal.no" = publicProxy "http://unix:${gitea.server.HTTP_ADDR}" { default = true; };
     "iam.feal.no" = publicProxy "http://${keycloak.http-host}:${toString keycloak.http-port}" { };
@@ -79,4 +104,10 @@ in {
     "kinealbrigtsen.no" = publicProxy "http://leonard.home.feal.no/" { serverAliases = [ "www.kinealbrigtsen.no" ]; };
     "wiki.wackattack.eu" = publicProxy "http://leonard.home.feal.no/" { };
   };
+
+  security.acme.certs."cloud.feal.no" = {
+    dnsProvider = "domeneshop";
+    environmentFile = config.sops.secrets."domeneshop/acme".path;
+    webroot = null;
+  };
 }