dogeystamp/homeserver-iac
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

caddy: deny access to private services outside LAN/VPN

Browse Source
This commit is contained in:
dogeystamp 2024-06-16 19:32:35 -04:00
parent 58a2a1526b
commit 1b3e800443
Signed by: dogeystamp
GPG Key ID: 7225FE3592EFFA38
2 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
group_vars/all/50-vars.yml
View File

@ -19,6 +19,11 @@ dataroot: /var/lib/serv_data
dyndns_domain: null dyndns_domain: null
# dyndns_domain: d.nerdpol.ovh # dyndns_domain: d.nerdpol.ovh
# limit this to, for example, your VPN subnet or your local subnet
# alternatively, 0.0.0.0/0 to open up the internal services to all
# for multiple subnets, separate with spaces
internal_cidr: "{{ local_subnet }}"
# this is set true in group_vars/bastion/vars.yml # this is set true in group_vars/bastion/vars.yml
enable_ddclient: false enable_ddclient: false

10
roles/caddy/templates/Caddyfile.j2
View File

@ -10,6 +10,10 @@
} }
{% endif %} {% endif %}
(external) {
@external not remote_ip {{ internal_cidr }}
}
import conf.d/* import conf.d/*
{% if "website" in group_names %} {% if "website" in group_names %}
@ -27,6 +31,9 @@ www.{{ domain }} {
{% if groups["navidrome"] | length > 0 %} {% if groups["navidrome"] | length > 0 %}
{{ navidrome_domain }} { {{ navidrome_domain }} {
import external
respond @external 403
reverse_proxy {{ groups["navidrome"][0] }}:4533 reverse_proxy {{ groups["navidrome"][0] }}:4533
} }
{% endif %} {% endif %}
@ -43,6 +50,9 @@ www.{{ domain }} {
{% if groups["paperless"] | length > 0 %} {% if groups["paperless"] | length > 0 %}
{{ paperless_domain }} { {{ paperless_domain }} {
import external
respond @external 403
reverse_proxy {{ groups["paperless"][0] }}:8000 reverse_proxy {{ groups["paperless"][0] }}:8000
} }
{% endif %} {% endif %}