feat(security): restrict internal services to tailscale

- Add `internalOnly` option to nginx module to block public access.

- Apply `internalOnly` flag to Forgejo and Vaultwarden to ensure they are only accessible over the VPN or localhost.

modules/forgejo.nix

@@ -97,6 +97,7 @@ in
     # Nginx Reverse Proxy
     myModules.nginx.domains."${cfg.domain}" = {
       port = cfg.port;
+      internalOnly = true;
       extraConfig = ''
         client_max_body_size 512M;
       '';

modules/nginx.nix

@@ -74,6 +74,12 @@ in
             description = "Content-Security-Policy header value. Set to null to omit.";
           };
 
+          internalOnly = lib.mkOption {
+            type = lib.types.bool;
+            default = false;
+            description = "Restrict access to Tailscale network and localhost only";
+          };
+
           rateLimit = {
             enable = lib.mkOption {
               type = lib.types.nullOr lib.types.bool;
@@ -156,6 +162,12 @@ in
 
           # Security headers applied per-vhost
           extraConfig = ''
+            ${lib.optionalString opts.internalOnly ''
+            # Restrict access to Tailscale network
+            allow 100.64.0.0/10;
+            allow 127.0.0.0/8;
+            deny all;
+            ''}
             # Strict Transport Security — 6 months, include subdomains, preload-ready
             add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
 

modules/vaultwarden.nix

@@ -111,6 +111,7 @@ in
     # Add nginx configuration for WebSocket support
     myModules.nginx.domains.${cfg.domain} = {
       port = cfg.port;
+      internalOnly = true;
       extraConfig = ''
         client_max_body_size 128M;
       '';