From 97ef691743cc1b7014055aa47ab70ba7ee529b5f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Motiejus=20Jak=C5=A1tys?= <motiejus@jakstys.lt>
Date: Sun, 27 Aug 2023 15:32:49 +0300
Subject: [PATCH] grafana.jakstys.lt: abort non-private ips

---
 hosts/vno1-oh2/configuration.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/hosts/vno1-oh2/configuration.nix b/hosts/vno1-oh2/configuration.nix
index dd653b0..faec1b7 100644
--- a/hosts/vno1-oh2/configuration.nix
+++ b/hosts/vno1-oh2/configuration.nix
@@ -178,6 +178,8 @@
       enable = true;
       email = "motiejus+acme@jakstys.lt";
       virtualHosts."grafana.jakstys.lt".extraConfig = ''
+        @denied not remote_ip ${myData.tailscale_subnet.cidr}
+        abort @denied
         reverse_proxy 127.0.0.1:3000
         tls {$CREDENTIALS_DIRECTORY}/grafana.jakstys.lt-cert.pem {$CREDENTIALS_DIRECTORY}/grafana.jakstys.lt-key.pem
       '';