diff --git a/modules/services/caddy.nix b/modules/services/caddy.nix index 0093a13..2d77842 100644 --- a/modules/services/caddy.nix +++ b/modules/services/caddy.nix @@ -22,6 +22,12 @@ services.caddy = { enable = true; + extraConfig = '' + (block_non_private_ips) { + @non_private_ips not remote_ip 100.64.0.0/10 fd7a:115c:a1e0::/48 private_ranges + abort @non_private_ips + } + ''; }; security.acme = { diff --git a/modules/services/forgejo.nix b/modules/services/forgejo.nix index f26d81b..a953d00 100644 --- a/modules/services/forgejo.nix +++ b/modules/services/forgejo.nix @@ -34,6 +34,7 @@ useACMEHost = config.homelab.domain; extraConfig = '' reverse_proxy http://localhost:${toString config.services.forgejo.settings.server.HTTP_PORT} + import block_non_private_ips ''; }; } diff --git a/modules/services/glance.nix b/modules/services/glance.nix index e38c31b..c642c07 100644 --- a/modules/services/glance.nix +++ b/modules/services/glance.nix @@ -107,6 +107,7 @@ useACMEHost = config.homelab.domain; extraConfig = '' reverse_proxy http://localhost:8888 + import block_non_private_ips ''; }; } diff --git a/modules/services/karakeep.nix b/modules/services/karakeep.nix index aefd116..8a749c6 100644 --- a/modules/services/karakeep.nix +++ b/modules/services/karakeep.nix @@ -30,6 +30,7 @@ useACMEHost = config.homelab.domain; extraConfig = '' reverse_proxy http://localhost:8023 + import block_non_private_ips ''; }; } diff --git a/modules/services/media/arr.nix b/modules/services/media/arr.nix index 13103da..75bf56e 100644 --- a/modules/services/media/arr.nix +++ b/modules/services/media/arr.nix @@ -50,36 +50,42 @@ useACMEHost = config.homelab.domain; extraConfig = '' reverse_proxy http://localhost:7878 + import block_non_private_ips ''; }; services.caddy.virtualHosts."sonarr.${config.homelab.domain}" = { useACMEHost = config.homelab.domain; extraConfig = '' reverse_proxy http://localhost:8989 + import block_non_private_ips ''; }; services.caddy.virtualHosts."prowlarr.${config.homelab.domain}" = { useACMEHost = config.homelab.domain; extraConfig = '' reverse_proxy http://localhost:9696 + import block_non_private_ips ''; }; services.caddy.virtualHosts."bazarr.${config.homelab.domain}" = { useACMEHost = config.homelab.domain; extraConfig = '' reverse_proxy http://localhost:6767 + import block_non_private_ips ''; }; services.caddy.virtualHosts."deluge.${config.homelab.domain}" = { useACMEHost = config.homelab.domain; extraConfig = '' reverse_proxy http://localhost:8112 + import block_non_private_ips ''; }; services.caddy.virtualHosts."jellyseer.${config.homelab.domain}" = { useACMEHost = config.homelab.domain; extraConfig = '' reverse_proxy http://localhost:5055 + import block_non_private_ips ''; }; } diff --git a/modules/services/media/jellyfin.nix b/modules/services/media/jellyfin.nix index a0038c4..a314b4b 100644 --- a/modules/services/media/jellyfin.nix +++ b/modules/services/media/jellyfin.nix @@ -14,6 +14,7 @@ # useACMEHost = config.homelab.domain; extraConfig = '' reverse_proxy http://localhost:8096 + import block_non_private_ips ''; }; } diff --git a/modules/services/miniflux.nix b/modules/services/miniflux.nix index 8f0dda4..7c05e0b 100644 --- a/modules/services/miniflux.nix +++ b/modules/services/miniflux.nix @@ -48,6 +48,7 @@ useACMEHost = config.homelab.domain; extraConfig = '' reverse_proxy http://localhost:8021 + import block_non_private_ips ''; }; } diff --git a/modules/services/pocketid.nix b/modules/services/pocketid.nix index b909467..8f3586f 100644 --- a/modules/services/pocketid.nix +++ b/modules/services/pocketid.nix @@ -19,6 +19,7 @@ useACMEHost = config.homelab.domain; extraConfig = '' reverse_proxy http://localhost:8025 + import block_non_private_ips ''; }; }