diff --git a/hosts/matemat/default.nix b/hosts/matemat/default.nix index 9ef4324e..9640dae5 100644 --- a/hosts/matemat/default.nix +++ b/hosts/matemat/default.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ config, lib, libC, pkgs, ... }: { c3d2.deployment.server = "server10"; @@ -16,19 +16,7 @@ enableACME = true; locations."/" = { proxyPass = "http://localhost:3000"; - # ip ranges duplicated with prometheus node exporter - extraConfig = '' - satisfy any; - auth_basic secured; - auth_basic_user_file ${config.sops.secrets."nginx/basic-auth".path}; - allow 2a00:8180:2c00:200::/56; - allow 2a0f:5382:acab:1400::/56; - allow fd23:42:c3d2:500::/56; - allow 30c:c3d2:b946:76d0::/64; - allow 172.22.99.0/24; - allow 172.20.72.0/21; - deny all; - ''; + extraConfig = libC.hqNetworkOnly; }; }; }; diff --git a/lib/nginx.nix b/lib/nginx.nix index 1ac43937..d8a02e16 100644 --- a/lib/nginx.nix +++ b/lib/nginx.nix @@ -26,4 +26,17 @@ _: ]; in map (x: (x // { addr = "0.0.0.0"; })) listen ++ listen; + + hqNetworkOnly = '' + satisfy any; + allow 2a00:8180:2c00:200::/56; + allow 2a0f:5382:acab:1400::/56; + allow fd23:42:c3d2:500::/56; + allow 30c:c3d2:b946:76d0::/64; + allow ::1/128; + allow 172.22.99.0/24; + allow 172.20.72.0/21; + allow 127.0.0.0/8; + deny all; + ''; } diff --git a/modules/stats.nix b/modules/stats.nix index 636eca8b..374245a2 100644 --- a/modules/stats.nix +++ b/modules/stats.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ config, lib, libC, pkgs, ... }: let cfg = config.c3d2.hq.statistics; @@ -89,19 +89,7 @@ in ]; locations."/metrics" = { proxyPass = "http://127.0.0.1:${toString config.services.prometheus.exporters.node.port}/metrics"; - # ip ranges duplicated with matemat - extraConfig = '' - satisfy any; - allow 2a00:8180:2c00:200::/56; - allow 2a0f:5382:acab:1400::/56; - allow fd23:42:c3d2:500::/56; - allow 30c:c3d2:b946:76d0::/64; - allow ::1/128; - allow 172.22.99.0/24; - allow 172.20.72.0/21; - allow 127.0.0.0/8; - deny all; - ''; + extraConfig = libC.hqNetworkOnly; }; }; };