From f31ec2ce652fa201123433071c2696ff00486b25 Mon Sep 17 00:00:00 2001 From: ashisgreat22 Date: Thu, 19 Mar 2026 22:35:33 +0100 Subject: [PATCH] feat(security): restrict internal services to tailscale - Add `internalOnly` option to nginx module to block public access. - Apply `internalOnly` flag to Forgejo and Vaultwarden to ensure they are only accessible over the VPN or localhost. --- modules/forgejo.nix | 1 + modules/nginx.nix | 12 ++++++++++++ modules/vaultwarden.nix | 1 + 3 files changed, 14 insertions(+) diff --git a/modules/forgejo.nix b/modules/forgejo.nix index 35ca7f9..28d8c1b 100644 --- a/modules/forgejo.nix +++ b/modules/forgejo.nix @@ -97,6 +97,7 @@ in # Nginx Reverse Proxy myModules.nginx.domains."${cfg.domain}" = { port = cfg.port; + internalOnly = true; extraConfig = '' client_max_body_size 512M; ''; diff --git a/modules/nginx.nix b/modules/nginx.nix index 190d0ed..cc9ef2f 100644 --- a/modules/nginx.nix +++ b/modules/nginx.nix @@ -74,6 +74,12 @@ in description = "Content-Security-Policy header value. Set to null to omit."; }; + internalOnly = lib.mkOption { + type = lib.types.bool; + default = false; + description = "Restrict access to Tailscale network and localhost only"; + }; + rateLimit = { enable = lib.mkOption { type = lib.types.nullOr lib.types.bool; @@ -156,6 +162,12 @@ in # Security headers applied per-vhost extraConfig = '' + ${lib.optionalString opts.internalOnly '' + # Restrict access to Tailscale network + allow 100.64.0.0/10; + allow 127.0.0.0/8; + deny all; + ''} # Strict Transport Security — 6 months, include subdomains, preload-ready add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always; diff --git a/modules/vaultwarden.nix b/modules/vaultwarden.nix index 1af04f4..5b66004 100644 --- a/modules/vaultwarden.nix +++ b/modules/vaultwarden.nix @@ -111,6 +111,7 @@ in # Add nginx configuration for WebSocket support myModules.nginx.domains.${cfg.domain} = { port = cfg.port; + internalOnly = true; extraConfig = '' client_max_body_size 128M; '';