From 5f1ed3c49244a2a7cb3f41b36920f5e1246a4475 Mon Sep 17 00:00:00 2001
From: xunuwu <xunuwu@gmail.com>
Date: Thu, 5 Jun 2025 09:38:08 +0200
Subject: [PATCH] change intranet domain

---
 flake.lock                               | 26 ------------------------
 flake.nix                                |  3 ---
 sys/machines/hopper/lab/acme.nix         |  2 +-
 sys/machines/hopper/lab/caddy.nix        | 12 +++++------
 sys/machines/hopper/lab/default.nix      |  6 ------
 sys/machines/hopper/lab/dnsmasq.nix      |  2 +-
 sys/machines/hopper/lab/homepage.nix     | 10 ++++-----
 sys/machines/hopper/lab/transmission.nix |  3 ++-
 8 files changed, 15 insertions(+), 49 deletions(-)

diff --git a/flake.lock b/flake.lock
index 108d642..25dbcbc 100644
--- a/flake.lock
+++ b/flake.lock
@@ -67,30 +67,6 @@
         "type": "github"
       }
     },
-    "cloudflare-ipv4": {
-      "flake": false,
-      "locked": {
-        "narHash": "sha256-V4dThTb8iw02hjngubVtSJbEeWgOS1e/ODt1fLjLZvk=",
-        "type": "file",
-        "url": "https://www.cloudflare.com/ips-v4"
-      },
-      "original": {
-        "type": "file",
-        "url": "https://www.cloudflare.com/ips-v4"
-      }
-    },
-    "cloudflare-ipv6": {
-      "flake": false,
-      "locked": {
-        "narHash": "sha256-BgpkXCAh/MmK3GTAElKiGJctCYUN+/UgvpuawqGmitE=",
-        "type": "file",
-        "url": "https://www.cloudflare.com/ips-v6"
-      },
-      "original": {
-        "type": "file",
-        "url": "https://www.cloudflare.com/ips-v6"
-      }
-    },
     "crane": {
       "locked": {
         "lastModified": 1745454774,
@@ -844,8 +820,6 @@
     },
     "root": {
       "inputs": {
-        "cloudflare-ipv4": "cloudflare-ipv4",
-        "cloudflare-ipv6": "cloudflare-ipv6",
         "disko": "disko",
         "firefox-addons": "firefox-addons",
         "flake-parts": "flake-parts",
diff --git a/flake.nix b/flake.nix
index 2c15b00..6d328e2 100644
--- a/flake.nix
+++ b/flake.nix
@@ -83,9 +83,6 @@
     own-website.url = "github:xunuwu/xunuwu.xyz";
     own-website.inputs.nixpkgs.follows = "nixpkgs";
 
-    cloudflare-ipv4.url = "file+https://www.cloudflare.com/ips-v4";
-    cloudflare-ipv6.url = "file+https://www.cloudflare.com/ips-v6";
-
     wallpaper.url = "file+https://cdn.donmai.us/original/43/20/__kasane_teto_and_kasane_teto_utau_and_1_more_drawn_by_maguru_white__43204cf49ef8c071c34009553d1c0455.jpg";
   };
 }
diff --git a/sys/machines/hopper/lab/acme.nix b/sys/machines/hopper/lab/acme.nix
index 01ade84..3e38cca 100644
--- a/sys/machines/hopper/lab/acme.nix
+++ b/sys/machines/hopper/lab/acme.nix
@@ -11,7 +11,7 @@ in {
     certs = {
       "${domain}" = {
         domain = "${domain}";
-        extraDomainNames = ["*.${domain}"];
+        extraDomainNames = ["*.${domain}" "*.hopper.priv.${domain}"];
         dnsProvider = "cloudflare";
         reloadServices = ["caddy.service"];
         credentialFiles = {
diff --git a/sys/machines/hopper/lab/caddy.nix b/sys/machines/hopper/lab/caddy.nix
index c42fcd7..54a2430 100644
--- a/sys/machines/hopper/lab/caddy.nix
+++ b/sys/machines/hopper/lab/caddy.nix
@@ -22,10 +22,6 @@ in {
     enable = true;
     globalConfig = "metrics";
     virtualHosts = let
-      blockNonCloudflare = ''
-        @blocked not remote_ip ${builtins.replaceStrings ["\n"] [" "] (builtins.foldl' (res: ip-ver: "${res} ${builtins.readFile inputs."cloudflare-${ip-ver}".outPath}") "" ["ipv4" "ipv6"])}
-        respond @blocked "Access only allowed through cloudflare" 403
-      '';
       mkPublicEntry = name: destination: {
         useACMEHost = domain;
         hostName = "${name}.${domain}";
@@ -36,8 +32,12 @@ in {
         '';
       };
       mkPrivateEntry = name: destination: {
-        hostName = "${name}.hopper.xun.host:80";
-        extraConfig = "reverse_proxy ${destination}";
+        hostName = "${name}.hopper.priv.${domain}";
+        extraConfig = ''
+          @blocked not remote_ip ${bridge}
+          respond @blocked "limited to intranet" 403
+          reverse_proxy ${destination}
+        '';
       };
     in {
       navidrome = mkPublicEntry "navidrome" "${bridge}:${toString config.services.navidrome.settings.Port}";
diff --git a/sys/machines/hopper/lab/default.nix b/sys/machines/hopper/lab/default.nix
index f8084af..99ae776 100644
--- a/sys/machines/hopper/lab/default.nix
+++ b/sys/machines/hopper/lab/default.nix
@@ -27,12 +27,6 @@
 
   networking.firewall = {
     allowedUDPPorts = [1900 7359]; # Jellyfin auto-discovery
-    allowedTCPPorts = [
-      # caddy lan ports
-      80
-      443
-      2345
-    ];
   };
 
   boot.kernel.sysctl."fs.inotify.max_user_watches" = 99999999;
diff --git a/sys/machines/hopper/lab/dnsmasq.nix b/sys/machines/hopper/lab/dnsmasq.nix
index 2e5e881..b95423a 100644
--- a/sys/machines/hopper/lab/dnsmasq.nix
+++ b/sys/machines/hopper/lab/dnsmasq.nix
@@ -10,7 +10,7 @@
       server = ["1.1.1.1" "8.8.8.8"];
       interface = ["tailscale0"];
       bind-interfaces = true;
-      address = lib.mapAttrsToList (n: v: "/.${n}.xun.host/${v}") vars.tailnet;
+      address = lib.mapAttrsToList (n: v: "/.${n}.priv.${vars.domain}/${v}") vars.tailnet;
     };
   };
 }
diff --git a/sys/machines/hopper/lab/homepage.nix b/sys/machines/hopper/lab/homepage.nix
index 6383b21..f56c91a 100644
--- a/sys/machines/hopper/lab/homepage.nix
+++ b/sys/machines/hopper/lab/homepage.nix
@@ -8,7 +8,7 @@
 in {
   services.homepage-dashboard = {
     enable = true;
-    allowedHosts = "dash.hopper.xun.host";
+    allowedHosts = "dash.hopper.priv.${domain}";
     widgets = [
       {
         resources = {
@@ -27,7 +27,7 @@ in {
         "Downloading" = [
           {
             "transmission" = {
-              href = "http://transmission.hopper.xun.host";
+              href = "https://transmission.hopper.priv.${domain}";
               icon = "transmission";
               widget = {
                 type = "transmission";
@@ -37,7 +37,7 @@ in {
           }
           {
             "slskd" = {
-              href = "http://slskd.hopper.xun.host";
+              href = "https://slskd.hopper.priv.${domain}";
               icon = "slskd";
             };
           }
@@ -59,7 +59,7 @@ in {
           }
           {
             "prometheus" = {
-              href = "http://prometheus.hopper.xun.host";
+              href = "https://prometheus.hopper.priv.${domain}";
               icon = "prometheus";
               widget = {
                 type = "prometheus";
@@ -69,7 +69,7 @@ in {
           }
           {
             "glances" = {
-              href = "http://glances.hopper.xun.host";
+              href = "https://glances.hopper.priv.${domain}";
               icon = "glances";
             };
           }
diff --git a/sys/machines/hopper/lab/transmission.nix b/sys/machines/hopper/lab/transmission.nix
index 161a824..9f31c7e 100644
--- a/sys/machines/hopper/lab/transmission.nix
+++ b/sys/machines/hopper/lab/transmission.nix
@@ -1,6 +1,7 @@
 {
   pkgs,
   config,
+  vars,
   ...
 }: {
   systemd.services.transmission.vpnConfinement = {
@@ -22,7 +23,7 @@
       peer-port = 24003;
       rpc-authentication-required = false;
       rpc-bind-address = "0.0.0.0";
-      rpc-host-whitelist = "transmission.hopper.xun.host";
+      rpc-host-whitelist = "transmission.hopper.priv.${vars.domain}";
       rpc-whitelist-enabled = true;
       rpc-whitelist = "127.0.0.1,192.168.\*.\*,100.\*.\*.\*";
     };