chore(vouch): clean up local access

2026-02-09 04:19:19 -08:00 · 2024-02-19 15:16:49 -08:00 · 2024-02-19 15:16:49 -08:00 · 9274618cf0
commit 9274618cf0
parent e4596f256f
9 changed files with 208 additions and 89 deletions
--- a/systems/tei/cloudflared.nix
+++ b/systems/tei/cloudflared.nix
@ -69,10 +69,6 @@ in {
        credentialsFile = config.sops.secrets.cloudflared-tunnel-apartment.path;
        default = "http_status:404";
        ingress = listToAttrs [
-          (ingressForNginx {
-            host = config.networking.domain;
-            inherit hostName;
-          })
          (ingressForNginx {
            host = config.services.zigbee2mqtt.domain;
            inherit hostName;
--- a/systems/tei/nixos.nix
+++ b/systems/tei/nixos.nix
@ -27,6 +27,16 @@ in {
    ./cloudflared.nix
  ];

+  services.nginx = let
+    inherit (config.services.nginx) access;
+  in {
+    virtualHosts = {
+      ${access.zigbee2mqtt.domain} = {
+        local.denyGlobal = true;
+      };
+    };
+  };
+
  sops.defaultSopsFile = ./secrets.yaml;

  networking.firewall = {