Allow only exposing services over Tailscale

This works using public DNS, so doesn't need Tailscale's magic DNS to override my local.
2024-03-07 22:30:10 +00:00
parent 451a114262
commit f88d224168
10 changed files with 56 additions and 0 deletions
--- a/ansible/roles/gateway/files/nginx.conf
+++ b/ansible/roles/gateway/files/nginx.conf
@ -21,6 +21,20 @@ map $ssl_preread_server_name $gateway_destination {
 server {
    listen 443;
    listen 8448;
+    listen [::]:443;
+    listen [::]:8448;
    proxy_pass $gateway_destination;
    proxy_protocol on;
 }
+
+server {
+    listen [{{ vps_hosts.private_ipv6_marker }}]:443;
+    listen [{{ vps_hosts.private_ipv6_marker }}]:8448;
+
+    access_log off;
+
+    deny all;
+
+    # This is never used, but need to keep nginx happy
+    proxy_pass 127.0.0.1:80;
+}
--- a/ansible/roles/ingress/files/nginx.conf
+++ b/ansible/roles/ingress/files/nginx.conf
@ -9,6 +9,8 @@ access_log /var/log/nginx/access.log access;
 server {
    listen 443;
    listen 8448;
+    listen [::]:443;
+    listen [::]:8448;
    proxy_pass {{ pve_hosts.docker.ip }}:443;
    proxy_protocol on;
    proxy_socket_keepalive on;
--- a/ansible/roles/pve_docker/files/whoami/docker-compose.yml
+++ b/ansible/roles/pve_docker/files/whoami/docker-compose.yml
@ -7,6 +7,9 @@ services:
    labels:
      - traefik.enable=true
      - traefik.http.routers.whoami.rule=Host(`whoami.theorangeone.net`) || Host(`whoami-cdn.theorangeone.net`)
+
+      - traefik.http.routers.whoami-private.rule=Host(`whoami-private.theorangeone.net`)
+      - traefik.http.routers.whoami-private.middlewares=tailscale-only@file
    networks:
      - default
      - traefik
--- a/ansible/roles/traefik/files/file-provider-main.yml
+++ b/ansible/roles/traefik/files/file-provider-main.yml
@ -8,3 +8,9 @@ http:
      headers:
        customResponseHeaders:
          Permissions-Policy: interest-cohort=()
+
+    tailscale-only:
+      ipAllowList:
+        sourceRange:
+          - "{{ tailscale_cidr }}"
+          - "{{ tailscale_cidr_ipv6 }}"