diff options
author | sefidel <contact@sefidel.net> | 2024-01-25 23:16:19 +0900 |
---|---|---|
committer | sefidel <contact@sefidel.net> | 2024-01-25 23:16:19 +0900 |
commit | a4d3677d709bc019f8a9416640761df4f86ca34a (patch) | |
tree | d347c0873491159a32676831286e057547026dce | |
parent | 101f70be1687f1bd87c61c60eee2dfe82b4462c8 (diff) | |
download | nixrc-a4d3677d709bc019f8a9416640761df4f86ca34a.tar.gz nixrc-a4d3677d709bc019f8a9416640761df4f86ca34a.zip |
feat(modules/blocky): don't depend directly on tailscale
-rw-r--r-- | modules/services/blocky/default.nix | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/modules/services/blocky/default.nix b/modules/services/blocky/default.nix index 20fdefd..9ba4884 100644 --- a/modules/services/blocky/default.nix +++ b/modules/services/blocky/default.nix @@ -14,7 +14,9 @@ in enable = true; settings = { ports = { - dns = "127.0.0.1:53,[::1]:53,100.93.1.1:53"; + # Safety: NixOS firewall should block public access to 53. + # Only machines connected to the tailscale is able to reach the service. + dns = 53; http = "127.0.0.1:4000"; }; @@ -80,8 +82,8 @@ in settings = { analytics.reporting_enabled = false; server = { - domain = "100.93.1.1:3000"; - http_addr = "100.93.1.1"; + domain = "127.0.0.1:3000"; + http_addr = "127.0.0.1"; enable_gzip = true; }; # Required for blocky panel @@ -113,6 +115,16 @@ in }; }; + services.nginx.virtualHosts."metrics.internal" = { + locations."/" = { + proxyPass = "http://localhost:3000"; + proxyWebsockets = true; + extraConfig = '' + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + ''; + }; + }; + environment.etc."grafana-dashboards/blocky_rev3.json" = { source = ./grafana_blocky_rev3.json; group = "grafana"; |