change intranet domain

2025-06-05 09:38:08 +02:00 · 2025-06-05 09:38:08 +02:00 · 5f1ed3c492
commit 5f1ed3c492
parent 8f4729f286
8 changed files with 15 additions and 49 deletions
--- a/flake.lock
+++ b/flake.lock
@ -67,30 +67,6 @@
        "type": "github"
      }
    },
-    "cloudflare-ipv4": {
-      "flake": false,
-      "locked": {
-        "narHash": "sha256-V4dThTb8iw02hjngubVtSJbEeWgOS1e/ODt1fLjLZvk=",
-        "type": "file",
-        "url": "https://www.cloudflare.com/ips-v4"
-      },
-      "original": {
-        "type": "file",
-        "url": "https://www.cloudflare.com/ips-v4"
-      }
-    },
-    "cloudflare-ipv6": {
-      "flake": false,
-      "locked": {
-        "narHash": "sha256-BgpkXCAh/MmK3GTAElKiGJctCYUN+/UgvpuawqGmitE=",
-        "type": "file",
-        "url": "https://www.cloudflare.com/ips-v6"
-      },
-      "original": {
-        "type": "file",
-        "url": "https://www.cloudflare.com/ips-v6"
-      }
-    },
    "crane": {
      "locked": {
        "lastModified": 1745454774,
@ -844,8 +820,6 @@
    },
    "root": {
      "inputs": {
-        "cloudflare-ipv4": "cloudflare-ipv4",
-        "cloudflare-ipv6": "cloudflare-ipv6",
        "disko": "disko",
        "firefox-addons": "firefox-addons",
        "flake-parts": "flake-parts",
--- a/flake.nix
+++ b/flake.nix
@ -83,9 +83,6 @@
    own-website.url = "github:xunuwu/xunuwu.xyz";
    own-website.inputs.nixpkgs.follows = "nixpkgs";

-    cloudflare-ipv4.url = "file+https://www.cloudflare.com/ips-v4";
-    cloudflare-ipv6.url = "file+https://www.cloudflare.com/ips-v6";
-
    wallpaper.url = "file+https://cdn.donmai.us/original/43/20/__kasane_teto_and_kasane_teto_utau_and_1_more_drawn_by_maguru_white__43204cf49ef8c071c34009553d1c0455.jpg";
  };
 }
--- a/sys/machines/hopper/lab/acme.nix
+++ b/sys/machines/hopper/lab/acme.nix
@ -11,7 +11,7 @@ in {
    certs = {
      "${domain}" = {
        domain = "${domain}";
-        extraDomainNames = ["*.${domain}"];
+        extraDomainNames = ["*.${domain}" "*.hopper.priv.${domain}"];
        dnsProvider = "cloudflare";
        reloadServices = ["caddy.service"];
        credentialFiles = {
--- a/sys/machines/hopper/lab/caddy.nix
+++ b/sys/machines/hopper/lab/caddy.nix
@ -22,10 +22,6 @@ in {
    enable = true;
    globalConfig = "metrics";
    virtualHosts = let
-      blockNonCloudflare = ''
-        @blocked not remote_ip ${builtins.replaceStrings ["\n"] [" "] (builtins.foldl' (res: ip-ver: "${res} ${builtins.readFile inputs."cloudflare-${ip-ver}".outPath}") "" ["ipv4" "ipv6"])}
-        respond @blocked "Access only allowed through cloudflare" 403
-      '';
      mkPublicEntry = name: destination: {
        useACMEHost = domain;
        hostName = "${name}.${domain}";
@ -36,8 +32,12 @@ in {
        '';
      };
      mkPrivateEntry = name: destination: {
-        hostName = "${name}.hopper.xun.host:80";
-        extraConfig = "reverse_proxy ${destination}";
+        hostName = "${name}.hopper.priv.${domain}";
+        extraConfig = ''
+          @blocked not remote_ip ${bridge}
+          respond @blocked "limited to intranet" 403
+          reverse_proxy ${destination}
+        '';
      };
    in {
      navidrome = mkPublicEntry "navidrome" "${bridge}:${toString config.services.navidrome.settings.Port}";
--- a/sys/machines/hopper/lab/default.nix
+++ b/sys/machines/hopper/lab/default.nix
@ -27,12 +27,6 @@

  networking.firewall = {
    allowedUDPPorts = [1900 7359]; # Jellyfin auto-discovery
-    allowedTCPPorts = [
-      # caddy lan ports
-      80
-      443
-      2345
-    ];
  };

  boot.kernel.sysctl."fs.inotify.max_user_watches" = 99999999;
--- a/sys/machines/hopper/lab/dnsmasq.nix
+++ b/sys/machines/hopper/lab/dnsmasq.nix
@ -10,7 +10,7 @@
      server = ["1.1.1.1" "8.8.8.8"];
      interface = ["tailscale0"];
      bind-interfaces = true;
-      address = lib.mapAttrsToList (n: v: "/.${n}.xun.host/${v}") vars.tailnet;
+      address = lib.mapAttrsToList (n: v: "/.${n}.priv.${vars.domain}/${v}") vars.tailnet;
    };
  };
 }
--- a/sys/machines/hopper/lab/homepage.nix
+++ b/sys/machines/hopper/lab/homepage.nix
@ -8,7 +8,7 @@
 in {
  services.homepage-dashboard = {
    enable = true;
-    allowedHosts = "dash.hopper.xun.host";
+    allowedHosts = "dash.hopper.priv.${domain}";
    widgets = [
      {
        resources = {
@ -27,7 +27,7 @@ in {
        "Downloading" = [
          {
            "transmission" = {
-              href = "http://transmission.hopper.xun.host";
+              href = "https://transmission.hopper.priv.${domain}";
              icon = "transmission";
              widget = {
                type = "transmission";
@ -37,7 +37,7 @@ in {
          }
          {
            "slskd" = {
-              href = "http://slskd.hopper.xun.host";
+              href = "https://slskd.hopper.priv.${domain}";
              icon = "slskd";
            };
          }
@ -59,7 +59,7 @@ in {
          }
          {
            "prometheus" = {
-              href = "http://prometheus.hopper.xun.host";
+              href = "https://prometheus.hopper.priv.${domain}";
              icon = "prometheus";
              widget = {
                type = "prometheus";
@ -69,7 +69,7 @@ in {
          }
          {
            "glances" = {
-              href = "http://glances.hopper.xun.host";
+              href = "https://glances.hopper.priv.${domain}";
              icon = "glances";
            };
          }
--- a/sys/machines/hopper/lab/transmission.nix
+++ b/sys/machines/hopper/lab/transmission.nix
@ -1,6 +1,7 @@
 {
  pkgs,
  config,
+  vars,
  ...
 }: {
  systemd.services.transmission.vpnConfinement = {
@ -22,7 +23,7 @@
      peer-port = 24003;
      rpc-authentication-required = false;
      rpc-bind-address = "0.0.0.0";
-      rpc-host-whitelist = "transmission.hopper.xun.host";
+      rpc-host-whitelist = "transmission.hopper.priv.${vars.domain}";
      rpc-whitelist-enabled = true;
      rpc-whitelist = "127.0.0.1,192.168.\*.\*,100.\*.\*.\*";
    };