felixalb/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

defiant/nginx: ip allowlist on nextcloud

Browse Source
This commit is contained in:
Felix Albrigtsen
2026-04-08 22:00:20 +02:00
parent 7401e3bb5e
commit 7918ebd7ea
1 changed files with 33 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
hosts/defiant/services/nginx.nix
View File

@@ -35,7 +35,7 @@ in {
# dnsProvider = "domeneshop"; # dnsProvider = "domeneshop";
# environmentFile = config.sops.secrets."domeneshop/acme".path; # environmentFile = config.sops.secrets."domeneshop/acme".path;
# webroot = null; # webroot = null;
# } # };
sops.secrets."domeneshop/acme" = { sops.secrets."domeneshop/acme" = {
group = "nginx"; group = "nginx";
}; };
@@ -63,15 +63,40 @@ in {
''; '';
} // overrides; } // overrides;
in { in {
"amalie.mansaker.no" = publicProxy "http://leonard.home.feal.no/" { };
"cloud.feal.no" = publicProxy "" { "cloud.feal.no" = publicProxy "" {
listen = [
{ addr = "192.168.10.175"; port = 43443; ssl = true; }
{ addr = "192.168.10.175"; port = 43080; ssl = false; }
# Note: cloud.feal.no is overriden in the local DNS, to allow use through Wireguard VPN
{ addr = "192.168.10.175"; port = 443; ssl = true; }
{ addr = "192.168.10.175"; port = 80; ssl = false; }
];
locations."/" = { locations."/" = {
proxyPass = "http://challenger.home.feal.no"; proxyPass = "http://challenger.home.feal.no";
extraConfig = '' extraConfig = ''
client_max_body_size 8G; client_max_body_size 8G;
''; '';
}; };
extraConfig = ''
# Direct local traffic and NAT Hairpin
allow 192.168.10.0/24;
# Wireguard
allow 10.100.0.0/24;
# AS16185
allow 82.146.64.0/19;
allow 217.31.96.0/20;
allow 185.166.44.0/22;
# NTNU
allow 129.241.0.0/16;
deny all;
'';
}; };
"amalie.mansaker.no" = publicProxy "http://leonard.home.feal.no/" { };
"feal.no" = publicProxy "http://leonard.home.feal.no/" { serverAliases = [ "www.feal.no" ]; }; "feal.no" = publicProxy "http://leonard.home.feal.no/" { serverAliases = [ "www.feal.no" ]; };
"git.feal.no" = publicProxy "http://unix:${gitea.server.HTTP_ADDR}" { default = true; }; "git.feal.no" = publicProxy "http://unix:${gitea.server.HTTP_ADDR}" { default = true; };
"iam.feal.no" = publicProxy "http://${keycloak.http-host}:${toString keycloak.http-port}" { }; "iam.feal.no" = publicProxy "http://${keycloak.http-host}:${toString keycloak.http-port}" { };
@@ -79,4 +104,10 @@ in {
"kinealbrigtsen.no" = publicProxy "http://leonard.home.feal.no/" { serverAliases = [ "www.kinealbrigtsen.no" ]; }; "kinealbrigtsen.no" = publicProxy "http://leonard.home.feal.no/" { serverAliases = [ "www.kinealbrigtsen.no" ]; };
"wiki.wackattack.eu" = publicProxy "http://leonard.home.feal.no/" { }; "wiki.wackattack.eu" = publicProxy "http://leonard.home.feal.no/" { };
}; };
security.acme.certs."cloud.feal.no" = {
dnsProvider = "domeneshop";
environmentFile = config.sops.secrets."domeneshop/acme".path;
webroot = null;
};
} }