feat(modules/blocky): don't depend directly on tailscale

1 files changed, 15 insertions, 3 deletions

diff --git a/modules/services/blocky/default.nix b/modules/services/blocky/default.nix
index 20fdefd..9ba4884 100644
--- a/modules/services/blocky/default.nix
+++ b/modules/services/blocky/default.nix
@@ -14,7 +14,9 @@ in
       enable = true;
       settings = {
         ports = {
-          dns = "127.0.0.1:53,[::1]:53,100.93.1.1:53";
+          # Safety: NixOS firewall should block public access to 53.
+          # Only machines connected to the tailscale is able to reach the service.
+          dns = 53;
           http = "127.0.0.1:4000";
         };
 
@@ -80,8 +82,8 @@ in
       settings = {
         analytics.reporting_enabled = false;
         server = {
-          domain = "100.93.1.1:3000";
-          http_addr = "100.93.1.1";
+          domain = "127.0.0.1:3000";
+          http_addr = "127.0.0.1";
           enable_gzip = true;
         };
         # Required for blocky panel
@@ -113,6 +115,16 @@ in
       };
     };
 
+    services.nginx.virtualHosts."metrics.internal" = {
+      locations."/" = {
+        proxyPass = "http://localhost:3000";
+        proxyWebsockets = true;
+        extraConfig = ''
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        '';
+      };
+    };
+
     environment.etc."grafana-dashboards/blocky_rev3.json" = {
       source = ./grafana_blocky_rev3.json;
       group = "grafana";