caddy: add block_non_private_ips snippet

blocks ips not in tailnet or in local network from accessing services using `important block_non_private_ips` in their caddy config
2025-08-04 22:13:59 +10:00 · 2025-08-04 22:13:59 +10:00 · 7537a1e5b6
commit 7537a1e5b6
parent a37e71055f
8 changed files with 18 additions and 0 deletions
--- a/modules/services/caddy.nix
+++ b/modules/services/caddy.nix
@ -22,6 +22,12 @@
    
    services.caddy = {
      enable = true;
+      extraConfig = ''
+      (block_non_private_ips) {
+        @non_private_ips not remote_ip 100.64.0.0/10 fd7a:115c:a1e0::/48 private_ranges
+        abort @non_private_ips
+      }
+      '';
    };

    security.acme = {