From a4d3677d709bc019f8a9416640761df4f86ca34a Mon Sep 17 00:00:00 2001 From: sefidel Date: Thu, 25 Jan 2024 23:16:19 +0900 Subject: feat(modules/blocky): don't depend directly on tailscale --- modules/services/blocky/default.nix | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/modules/services/blocky/default.nix b/modules/services/blocky/default.nix index 20fdefd..9ba4884 100644 --- a/modules/services/blocky/default.nix +++ b/modules/services/blocky/default.nix @@ -14,7 +14,9 @@ in enable = true; settings = { ports = { - dns = "127.0.0.1:53,[::1]:53,100.93.1.1:53"; + # Safety: NixOS firewall should block public access to 53. + # Only machines connected to the tailscale is able to reach the service. + dns = 53; http = "127.0.0.1:4000"; }; @@ -80,8 +82,8 @@ in settings = { analytics.reporting_enabled = false; server = { - domain = "100.93.1.1:3000"; - http_addr = "100.93.1.1"; + domain = "127.0.0.1:3000"; + http_addr = "127.0.0.1"; enable_gzip = true; }; # Required for blocky panel @@ -113,6 +115,16 @@ in }; }; + services.nginx.virtualHosts."metrics.internal" = { + locations."/" = { + proxyPass = "http://localhost:3000"; + proxyWebsockets = true; + extraConfig = '' + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + ''; + }; + }; + environment.etc."grafana-dashboards/blocky_rev3.json" = { source = ./grafana_blocky_rev3.json; group = "grafana"; -- cgit 1.4.1