vps-public: Only allow access to radicale's login page over vpn

2026-01-21 12:51:34 +01:00 · 2026-01-15 22:20:48 +01:00 · 2026-01-15 22:20:48 +01:00 · d73e3744a8
commit d73e3744a8
parent 2f246153d4
1 changed files with 81 additions and 68 deletions
--- a/hosts/vps-public/default.nix
+++ b/hosts/vps-public/default.nix
@ -13,77 +13,90 @@
    ports.validate = true;
  };

-  custom = {
-    persistence.enable = true;
+  custom =
+    let
+      sproutedDomain = "sprouted.cloud";
+    in
+    {
+      persistence.enable = true;

-    sops.enable = true;
+      sops.enable = true;

-    boot.loader.systemd-boot.enable = true;
+      boot.loader.systemd-boot.enable = true;

-    networking = {
-      overlay.address = "10.254.250.4";
-      underlay = {
-        interface = "enp1s0";
-        address = "167.235.73.246";
-        isPublic = true;
+      networking = {
+        overlay.address = "10.254.250.4";
+        underlay = {
+          interface = "enp1s0";
+          address = "167.235.73.246";
+          isPublic = true;
+        };
+        isServer = true;
      };
-      isServer = true;
+
+      services = {
+        gc = {
+          enable = true;
+          onlyCleanRoots = true;
+        };
+
+        nebula.enable = true;
+        sshd.enable = true;
+
+        caddy.virtualHosts."dav.${sproutedDomain}" = {
+          inherit (config.custom.web-services.radicale) port;
+          extraConfig = ''
+            respond /.web/ "Access denied" 403 {
+            	close
+            }
+          '';
+        };
+      };
+
+      web-services =
+        let
+          privateDomain = config.custom.networking.overlay.domain;
+          sstorkDomain = "sstork.dev";
+        in
+        {
+          personal-blog = {
+            enable = true;
+            domain = sstorkDomain;
+          };
+
+          forgejo = {
+            enable = true;
+            domain = "git.${sstorkDomain}";
+            doBackups = true;
+          };
+
+          outline = {
+            enable = true;
+            domain = "wiki.${sproutedDomain}";
+            doBackups = true;
+          };
+
+          it-tools = {
+            enable = true;
+            domain = "tools.${sproutedDomain}";
+          };
+
+          privatebin = {
+            enable = true;
+            domain = "pastebin.${sproutedDomain}";
+            branding.name = "SproutedBin";
+          };
+
+          radicale = {
+            enable = true;
+            domain = "dav.${privateDomain}";
+            doBackups = true;
+          };
+
+          alloy = {
+            enable = true;
+            domain = "alloy.${config.networking.hostName}.${privateDomain}";
+          };
+        };
    };
-
-    services = {
-      gc = {
-        enable = true;
-        onlyCleanRoots = true;
-      };
-
-      nebula.enable = true;
-      sshd.enable = true;
-    };
-
-    web-services =
-      let
-        sstorkDomain = "sstork.dev";
-        sproutedDomain = "sprouted.cloud";
-      in
-      {
-        personal-blog = {
-          enable = true;
-          domain = sstorkDomain;
-        };
-
-        forgejo = {
-          enable = true;
-          domain = "git.${sstorkDomain}";
-          doBackups = true;
-        };
-
-        outline = {
-          enable = true;
-          domain = "wiki.${sproutedDomain}";
-          doBackups = true;
-        };
-
-        it-tools = {
-          enable = true;
-          domain = "tools.${sproutedDomain}";
-        };
-
-        privatebin = {
-          enable = true;
-          domain = "pastebin.${sproutedDomain}";
-          branding.name = "SproutedBin";
-        };
-
-        radicale = {
-          enable = true;
-          domain = "dav.${sproutedDomain}";
-          doBackups = true;
-        };
-
-        alloy = {
-          enable = true;
-          domain = "alloy.${config.networking.hostName}.${config.custom.networking.overlay.domain}";
-        };
-      };
-  };
 }