about summary refs log tree commit diff
diff options
context:
space:
mode:
authorsefidel <contact@sefidel.net>2024-01-25 23:16:19 +0900
committersefidel <contact@sefidel.net>2024-01-25 23:16:19 +0900
commita4d3677d709bc019f8a9416640761df4f86ca34a (patch)
treed347c0873491159a32676831286e057547026dce
parent101f70be1687f1bd87c61c60eee2dfe82b4462c8 (diff)
downloadnixrc-a4d3677d709bc019f8a9416640761df4f86ca34a.tar.gz
nixrc-a4d3677d709bc019f8a9416640761df4f86ca34a.zip
feat(modules/blocky): don't depend directly on tailscale
-rw-r--r--modules/services/blocky/default.nix18
1 files changed, 15 insertions, 3 deletions
diff --git a/modules/services/blocky/default.nix b/modules/services/blocky/default.nix
index 20fdefd..9ba4884 100644
--- a/modules/services/blocky/default.nix
+++ b/modules/services/blocky/default.nix
@@ -14,7 +14,9 @@ in
       enable = true;
       settings = {
         ports = {
-          dns = "127.0.0.1:53,[::1]:53,100.93.1.1:53";
+          # Safety: NixOS firewall should block public access to 53.
+          # Only machines connected to the tailscale is able to reach the service.
+          dns = 53;
           http = "127.0.0.1:4000";
         };
 
@@ -80,8 +82,8 @@ in
       settings = {
         analytics.reporting_enabled = false;
         server = {
-          domain = "100.93.1.1:3000";
-          http_addr = "100.93.1.1";
+          domain = "127.0.0.1:3000";
+          http_addr = "127.0.0.1";
           enable_gzip = true;
         };
         # Required for blocky panel
@@ -113,6 +115,16 @@ in
       };
     };
 
+    services.nginx.virtualHosts."metrics.internal" = {
+      locations."/" = {
+        proxyPass = "http://localhost:3000";
+        proxyWebsockets = true;
+        extraConfig = ''
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        '';
+      };
+    };
+
     environment.etc."grafana-dashboards/blocky_rev3.json" = {
       source = ./grafana_blocky_rev3.json;
       group = "grafana";