change intranet domain

sys/machines/hopper/lab/acme.nix

@@ -11,7 +11,7 @@ in {
     certs = {
       "${domain}" = {
         domain = "${domain}";
-        extraDomainNames = ["*.${domain}"];
+        extraDomainNames = ["*.${domain}" "*.hopper.priv.${domain}"];
         dnsProvider = "cloudflare";
         reloadServices = ["caddy.service"];
         credentialFiles = {

sys/machines/hopper/lab/caddy.nix

@@ -22,10 +22,6 @@ in {
     enable = true;
     globalConfig = "metrics";
     virtualHosts = let
-      blockNonCloudflare = ''
-        @blocked not remote_ip ${builtins.replaceStrings ["\n"] [" "] (builtins.foldl' (res: ip-ver: "${res} ${builtins.readFile inputs."cloudflare-${ip-ver}".outPath}") "" ["ipv4" "ipv6"])}
-        respond @blocked "Access only allowed through cloudflare" 403
-      '';
       mkPublicEntry = name: destination: {
         useACMEHost = domain;
         hostName = "${name}.${domain}";
@@ -36,8 +32,12 @@ in {
         '';
       };
       mkPrivateEntry = name: destination: {
-        hostName = "${name}.hopper.xun.host:80";
-        extraConfig = "reverse_proxy ${destination}";
+        hostName = "${name}.hopper.priv.${domain}";
+        extraConfig = ''
+          @blocked not remote_ip ${bridge}
+          respond @blocked "limited to intranet" 403
+          reverse_proxy ${destination}
+        '';
       };
     in {
       navidrome = mkPublicEntry "navidrome" "${bridge}:${toString config.services.navidrome.settings.Port}";

sys/machines/hopper/lab/default.nix

@@ -27,12 +27,6 @@
 
   networking.firewall = {
     allowedUDPPorts = [1900 7359]; # Jellyfin auto-discovery
-    allowedTCPPorts = [
-      # caddy lan ports
-      80
-      443
-      2345
-    ];
   };
 
   boot.kernel.sysctl."fs.inotify.max_user_watches" = 99999999;

sys/machines/hopper/lab/dnsmasq.nix

@@ -10,7 +10,7 @@
       server = ["1.1.1.1" "8.8.8.8"];
       interface = ["tailscale0"];
       bind-interfaces = true;
-      address = lib.mapAttrsToList (n: v: "/.${n}.xun.host/${v}") vars.tailnet;
+      address = lib.mapAttrsToList (n: v: "/.${n}.priv.${vars.domain}/${v}") vars.tailnet;
     };
   };
 }

sys/machines/hopper/lab/homepage.nix

@@ -8,7 +8,7 @@
 in {
   services.homepage-dashboard = {
     enable = true;
-    allowedHosts = "dash.hopper.xun.host";
+    allowedHosts = "dash.hopper.priv.${domain}";
     widgets = [
       {
         resources = {
@@ -27,7 +27,7 @@ in {
         "Downloading" = [
           {
             "transmission" = {
-              href = "http://transmission.hopper.xun.host";
+              href = "https://transmission.hopper.priv.${domain}";
               icon = "transmission";
               widget = {
                 type = "transmission";
@@ -37,7 +37,7 @@ in {
           }
           {
             "slskd" = {
-              href = "http://slskd.hopper.xun.host";
+              href = "https://slskd.hopper.priv.${domain}";
               icon = "slskd";
             };
           }
@@ -59,7 +59,7 @@ in {
           }
           {
             "prometheus" = {
-              href = "http://prometheus.hopper.xun.host";
+              href = "https://prometheus.hopper.priv.${domain}";
               icon = "prometheus";
               widget = {
                 type = "prometheus";
@@ -69,7 +69,7 @@ in {
           }
           {
             "glances" = {
-              href = "http://glances.hopper.xun.host";
+              href = "https://glances.hopper.priv.${domain}";
               icon = "glances";
             };
           }

sys/machines/hopper/lab/transmission.nix

@@ -1,6 +1,7 @@
 {
   pkgs,
   config,
+  vars,
   ...
 }: {
   systemd.services.transmission.vpnConfinement = {
@@ -22,7 +23,7 @@
       peer-port = 24003;
       rpc-authentication-required = false;
       rpc-bind-address = "0.0.0.0";
-      rpc-host-whitelist = "transmission.hopper.xun.host";
+      rpc-host-whitelist = "transmission.hopper.priv.${vars.domain}";
       rpc-whitelist-enabled = true;
       rpc-whitelist = "127.0.0.1,192.168.\*.\*,100.\*.\*.\*";
     };