felixalb/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

defiant/nginx: ip allowlist on nextcloud

Browse Source
This commit is contained in:
Felix Albrigtsen
2026-04-08 22:00:20 +02:00
parent 7401e3bb5e
commit 7918ebd7ea
1 changed files with 33 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
hosts/defiant/services/nginx.nix
View File

@@ -35,7 +35,7 @@ in {
# dnsProvider = "domeneshop";
# environmentFile = config.sops.secrets."domeneshop/acme".path;
# webroot = null;
# }
# };
sops.secrets."domeneshop/acme" = {
group = "nginx";
};
@@ -63,15 +63,40 @@ in {
'';
} // overrides;
in {
"amalie.mansaker.no" = publicProxy "http://leonard.home.feal.no/" { };
"cloud.feal.no" = publicProxy "" {
listen = [
{ addr = "192.168.10.175"; port = 43443; ssl = true; }
{ addr = "192.168.10.175"; port = 43080; ssl = false; }
# Note: cloud.feal.no is overriden in the local DNS, to allow use through Wireguard VPN
{ addr = "192.168.10.175"; port = 443; ssl = true; }
{ addr = "192.168.10.175"; port = 80; ssl = false; }
];
locations."/" = {
proxyPass = "http://challenger.home.feal.no";
extraConfig = ''
client_max_body_size 8G;
'';
};
extraConfig = ''
# Direct local traffic and NAT Hairpin
allow 192.168.10.0/24;
# Wireguard
allow 10.100.0.0/24;
# AS16185
allow 82.146.64.0/19;
allow 217.31.96.0/20;
allow 185.166.44.0/22;
# NTNU
allow 129.241.0.0/16;
deny all;
'';
};
"amalie.mansaker.no" = publicProxy "http://leonard.home.feal.no/" { };
"feal.no" = publicProxy "http://leonard.home.feal.no/" { serverAliases = [ "www.feal.no" ]; };
"git.feal.no" = publicProxy "http://unix:${gitea.server.HTTP_ADDR}" { default = true; };
"iam.feal.no" = publicProxy "http://${keycloak.http-host}:${toString keycloak.http-port}" { };
@@ -79,4 +104,10 @@ in {
"kinealbrigtsen.no" = publicProxy "http://leonard.home.feal.no/" { serverAliases = [ "www.kinealbrigtsen.no" ]; };
"wiki.wackattack.eu" = publicProxy "http://leonard.home.feal.no/" { };
};
security.acme.certs."cloud.feal.no" = {
dnsProvider = "domeneshop";
environmentFile = config.sops.secrets."domeneshop/acme".path;
webroot = null;
};
}