From 1b3e800443073a6613ba3c2308df2057bfb1ddd7 Mon Sep 17 00:00:00 2001
From: dogeystamp <dogeystamp@disroot.org>
Date: Sun, 16 Jun 2024 19:32:35 -0400
Subject: [PATCH] caddy: deny access to private services outside LAN/VPN

---
 group_vars/all/50-vars.yml         |  5 +++++
 roles/caddy/templates/Caddyfile.j2 | 10 ++++++++++
 2 files changed, 15 insertions(+)

diff --git a/group_vars/all/50-vars.yml b/group_vars/all/50-vars.yml
index d8f3818..f3c2a3c 100644
--- a/group_vars/all/50-vars.yml
+++ b/group_vars/all/50-vars.yml
@@ -19,6 +19,11 @@ dataroot: /var/lib/serv_data
 dyndns_domain: null
 # dyndns_domain: d.nerdpol.ovh
 
+# limit this to, for example, your VPN subnet or your local subnet
+# alternatively, 0.0.0.0/0 to open up the internal services to all
+# for multiple subnets, separate with spaces
+internal_cidr: "{{ local_subnet }}"
+
 # this is set true in group_vars/bastion/vars.yml
 enable_ddclient: false
 
diff --git a/roles/caddy/templates/Caddyfile.j2 b/roles/caddy/templates/Caddyfile.j2
index 4bcdd4a..cda86ba 100644
--- a/roles/caddy/templates/Caddyfile.j2
+++ b/roles/caddy/templates/Caddyfile.j2
@@ -10,6 +10,10 @@
 }
 {% endif %}
 
+(external) {
+	@external not remote_ip {{ internal_cidr }}
+}
+
 import conf.d/*
 
 {% if "website" in group_names %}
@@ -27,6 +31,9 @@ www.{{ domain }} {
 
 {% if groups["navidrome"] | length > 0 %}
 {{ navidrome_domain }} {
+	import external
+	respond @external 403
+
 	reverse_proxy {{ groups["navidrome"][0] }}:4533
 }
 {% endif %}
@@ -43,6 +50,9 @@ www.{{ domain }} {
 
 {% if groups["paperless"] | length > 0 %}
 {{ paperless_domain }} {
+	import external
+	respond @external 403
+
 	reverse_proxy {{ groups["paperless"][0] }}:8000
 }
 {% endif %}