caddy: add block_non_private_ips snippet

blocks ips not in tailnet or in local network from accessing services using `important block_non_private_ips` in their caddy config
2025-08-04 22:13:59 +10:00 · 2025-08-04 22:13:59 +10:00 · 7537a1e5b6
commit 7537a1e5b6
parent a37e71055f
8 changed files with 18 additions and 0 deletions
--- a/modules/services/caddy.nix
+++ b/modules/services/caddy.nix
@ -22,6 +22,12 @@
    
    services.caddy = {
      enable = true;
+      extraConfig = ''
+      (block_non_private_ips) {
+        @non_private_ips not remote_ip 100.64.0.0/10 fd7a:115c:a1e0::/48 private_ranges
+        abort @non_private_ips
+      }
+      '';
    };

    security.acme = {
--- a/modules/services/forgejo.nix
+++ b/modules/services/forgejo.nix
@ -34,6 +34,7 @@
    useACMEHost = config.homelab.domain;
    extraConfig = ''
      reverse_proxy http://localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}
+      import block_non_private_ips
    '';
  };
 }
--- a/modules/services/glance.nix
+++ b/modules/services/glance.nix
@ -107,6 +107,7 @@
    useACMEHost = config.homelab.domain;
    extraConfig = ''
      reverse_proxy http://localhost:8888
+      import block_non_private_ips
    '';
  };
 }
--- a/modules/services/karakeep.nix
+++ b/modules/services/karakeep.nix
@ -30,6 +30,7 @@
    useACMEHost = config.homelab.domain;
    extraConfig = ''
      reverse_proxy http://localhost:8023
+      import block_non_private_ips
    '';
  };
 }
--- a/modules/services/media/arr.nix
+++ b/modules/services/media/arr.nix
@ -50,36 +50,42 @@
    useACMEHost = config.homelab.domain;
    extraConfig = ''
      reverse_proxy http://localhost:7878
+      import block_non_private_ips
    '';
  };
  services.caddy.virtualHosts."sonarr.${config.homelab.domain}" = {
    useACMEHost = config.homelab.domain;
    extraConfig = ''
      reverse_proxy http://localhost:8989
+      import block_non_private_ips
    '';
  };
  services.caddy.virtualHosts."prowlarr.${config.homelab.domain}" = {
    useACMEHost = config.homelab.domain;
    extraConfig = ''
      reverse_proxy http://localhost:9696
+      import block_non_private_ips
    '';
  };
  services.caddy.virtualHosts."bazarr.${config.homelab.domain}" = {
    useACMEHost = config.homelab.domain;
    extraConfig = ''
      reverse_proxy http://localhost:6767
+      import block_non_private_ips
    '';
  };
  services.caddy.virtualHosts."deluge.${config.homelab.domain}" = {
    useACMEHost = config.homelab.domain;
    extraConfig = ''
      reverse_proxy http://localhost:8112
+      import block_non_private_ips
    '';
  };
  services.caddy.virtualHosts."jellyseer.${config.homelab.domain}" = {
    useACMEHost = config.homelab.domain;
    extraConfig = ''
      reverse_proxy http://localhost:5055
+      import block_non_private_ips
    '';
  };
 }
--- a/modules/services/media/jellyfin.nix
+++ b/modules/services/media/jellyfin.nix
@ -14,6 +14,7 @@
 #    useACMEHost = config.homelab.domain;
    extraConfig = ''
      reverse_proxy http://localhost:8096
+      import block_non_private_ips
    '';
  };
 }
--- a/modules/services/miniflux.nix
+++ b/modules/services/miniflux.nix
@ -48,6 +48,7 @@
    useACMEHost = config.homelab.domain;
    extraConfig = ''
      reverse_proxy http://localhost:8021
+      import block_non_private_ips
    '';
  };
 }
--- a/modules/services/pocketid.nix
+++ b/modules/services/pocketid.nix
@ -19,6 +19,7 @@
    useACMEHost = config.homelab.domain;
    extraConfig = ''
      reverse_proxy http://localhost:8025
+      import block_non_private_ips
    '';
  };
 }