From 0da9f7ab9d7a9b834cdac6a42236846d3e1fbe70 Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Thu, 16 Nov 2023 13:25:43 +0100 Subject: [PATCH] architect: add allowWAN option, correctly blocking WAN traffic --- hosts/architect/options.nix | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/hosts/architect/options.nix b/hosts/architect/options.nix index 82c0235..4d8bef0 100644 --- a/hosts/architect/options.nix +++ b/hosts/architect/options.nix @@ -96,23 +96,29 @@ in description = "The host for the location."; default = "127.0.0.1"; }; - + port = mkOption { type = types.int; description = "The port number for the location."; }; - + allow = mkOption { type = types.listOf types.str; default = [ ]; description = "IP address or CIDR block to allow."; }; - + path = mkOption { type = types.str; default = ""; }; + allowWAN = mkOption { + type = types.bool; + default = false; + description = "If set to false, deny all WAN traffic."; + }; + deny = mkOption { type = types.listOf types.str; default = [ ]; @@ -140,9 +146,9 @@ in proxyPass = "http://${location.host}:${toString location.port}${location.path}"; proxyWebsockets = location.proxyWebsockets; extraConfig = '' - ${optionalString location.allowLan "deny 10.0.0.1;"} - ${concatMapStringsSep "\n" (denyCIDR: "deny ${denyCIDR};") location.deny} ${concatMapStringsSep "\n" (allowCIDR: "allow ${allowCIDR};") location.allow} + ${optionalString (!location.allowWAN) "deny all;"} + ${concatMapStringsSep "\n" (denyCIDR: "deny ${denyCIDR};") location.deny} ${optionalString location.allowLan ''allow ${config.architect.networks."lan".net};''} '' + location.extraConfig; })