diff options
Diffstat (limited to 'hosts/ahmed/cloudflare-proxy')
| -rw-r--r-- | hosts/ahmed/cloudflare-proxy/default.nix | 35 |
1 files changed, 8 insertions, 27 deletions
diff --git a/hosts/ahmed/cloudflare-proxy/default.nix b/hosts/ahmed/cloudflare-proxy/default.nix index 657722d..07489db 100644 --- a/hosts/ahmed/cloudflare-proxy/default.nix +++ b/hosts/ahmed/cloudflare-proxy/default.nix @@ -1,15 +1,13 @@ # This module adds some extra configuration useful when running behid a Cloudflare Proxy. -# +# Mainly, it blocks all incomming conncections on relevant ports that aren't +# coming from an official CloudFlare domain. { config, lib, pkgs, + metadata, ... }: let - inherit (lib.options) mkEnableOption mkOption; - inherit (lib.modules) mkIf; - inherit (lib.types) listOf nonEmptyStr port; - # TODO: What happens when these get out of date??? Huh??? You little pissbaby fileToList = x: lib.strings.splitString "\n" (builtins.readFile x); cfipv4 = fileToList (pkgs.fetchurl { @@ -21,27 +19,10 @@ hash = "sha256-np054+g7rQDE3sr9U8Y/piAp89ldto3pN9K+KCNMoKk="; }); - cfg = config.modules.cloudflare-proxy; + IPv4Whitelist = []; + IPv6Whitelist = [metadata.hosts.muhammed.ipAddress]; in { - options.modules.cloudflare-proxy = { - enable = mkEnableOption "Cloudflare proxy IP extraction for NGINX"; - - firewall = { - IPv4Whitelist = mkOption { - description = "List of IPv4 addresses (or ranges) added to the whitelist."; - type = listOf nonEmptyStr; - default = []; - }; - - IPv6Whitelist = mkOption { - description = "List of IPv6 addresses (or ranges) added to the whitelist."; - type = listOf nonEmptyStr; - default = []; - }; - }; - }; - - config = mkIf cfg.enable { + config = { # Teach NGINX how to extract the proxied IP from proxied requests. # # See: https://nixos.wiki/wiki/Nginx#Using_realIP_when_behind_CloudFlare_or_other_CDN @@ -76,8 +57,8 @@ in { ${allow-interface config.networking.firewall.trustedInterfaces} # Allow local whitelisted IPs through - ${allow-ip "iptables" cfg.firewall.IPv4Whitelist} - ${allow-ip "ip6tables" cfg.firewall.IPv6Whitelist} + ${allow-ip "iptables" IPv4Whitelist} + ${allow-ip "ip6tables" IPv6Whitelist} # Allow Cloudflare's IP ranges through. ${allow-ip "iptables" cfipv4} |