From 555f6e0f82de6b664ef00baadd012ac5b5d4586c Mon Sep 17 00:00:00 2001
From: Mathieu Strypsteen <mathieu@strypsteen.me>
Date: Thu, 18 Jul 2024 13:25:33 +0200
Subject: [PATCH] Add IP address filter to nginx

---
 container-config/nginx-home/code                               | 2 ++
 container-config/nginx-home/element                            | 2 ++
 container-config/nginx-home/llm                                | 2 ++
 container-config/nginx-home/network                            | 2 ++
 container-config/nginx-home/remote-desktop                     | 2 ++
 .../x86_64/stable/defaults/pref/config.js                      | 1 +
 setup-vyos.sh                                                  | 3 ++-
 7 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/container-config/nginx-home/code b/container-config/nginx-home/code
index 7f0bfda..8824f47 100644
--- a/container-config/nginx-home/code
+++ b/container-config/nginx-home/code
@@ -3,6 +3,8 @@ server {
   server_name *.code-proxy.strypsteen.com;
   listen 443 ssl;
   listen [::]:443 ssl;
+  deny 10.0.0.1;
+  deny fd00::1;
   include snippets/headers.conf;
   location / {
     set $upstream sandbox.server.home.arpa;
diff --git a/container-config/nginx-home/element b/container-config/nginx-home/element
index 49554ae..517df9f 100644
--- a/container-config/nginx-home/element
+++ b/container-config/nginx-home/element
@@ -2,6 +2,8 @@ server {
   server_name element.strypsteen.com;
   listen 443 ssl;
   listen [::]:443 ssl;
+  deny 10.0.0.1;
+  deny fd00::1;
   include snippets/headers.conf;
   location / {
     set $upstream systemd-element.;
diff --git a/container-config/nginx-home/llm b/container-config/nginx-home/llm
index 6a078a8..cabbdba 100644
--- a/container-config/nginx-home/llm
+++ b/container-config/nginx-home/llm
@@ -2,6 +2,8 @@ server {
   server_name llm.strypsteen.com;
   listen 443 ssl;
   listen [::]:443 ssl;
+  deny 10.0.0.1;
+  deny fd00::1;
   include snippets/headers.conf;
   location / {
     set $upstream systemd-big-agi.;
diff --git a/container-config/nginx-home/network b/container-config/nginx-home/network
index d9ac34c..3696f83 100644
--- a/container-config/nginx-home/network
+++ b/container-config/nginx-home/network
@@ -2,6 +2,8 @@ server {
   server_name network.strypsteen.com;
   listen 443 ssl;
   listen [::]:443 ssl;
+  deny 10.0.0.1;
+  deny fd00::1;
   include snippets/headers.conf;
   add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'" always;
   location / {
diff --git a/container-config/nginx-home/remote-desktop b/container-config/nginx-home/remote-desktop
index 1cc4cef..b27b38a 100644
--- a/container-config/nginx-home/remote-desktop
+++ b/container-config/nginx-home/remote-desktop
@@ -2,6 +2,8 @@ server {
   server_name remote-desktop.strypsteen.com;
   listen 443 ssl;
   listen [::]:443 ssl;
+  deny 10.0.0.1;
+  deny fd00::1;
   include snippets/headers.conf;
   add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'" always;
   location / {
diff --git a/desktop/var/lib/flatpak/extension/org.mozilla.firefox.systemconfig/x86_64/stable/defaults/pref/config.js b/desktop/var/lib/flatpak/extension/org.mozilla.firefox.systemconfig/x86_64/stable/defaults/pref/config.js
index 620d388..07be09e 100644
--- a/desktop/var/lib/flatpak/extension/org.mozilla.firefox.systemconfig/x86_64/stable/defaults/pref/config.js
+++ b/desktop/var/lib/flatpak/extension/org.mozilla.firefox.systemconfig/x86_64/stable/defaults/pref/config.js
@@ -25,6 +25,7 @@ pref("media.videocontrols.picture-in-picture.video-toggle.has-used", true);
 pref("middlemouse.paste", false);
 pref("network.IDN_show_punycode", true);
 pref("network.http.referer.XOriginTrimmingPolicy", 2);
+pref("network.trr.excluded-domains", "strypsteen.com");
 pref("permissions.manager.defaultsUrl", "");
 pref("privacy.donottrackheader.enabled", true);
 pref("privacy.globalprivacycontrol.enabled", true);
diff --git a/setup-vyos.sh b/setup-vyos.sh
index 97adef9..51e4473 100644
--- a/setup-vyos.sh
+++ b/setup-vyos.sh
@@ -13,7 +13,7 @@ set interfaces ethernet eth2 address 192.168.254.1/24
 set interfaces ethernet eth2 address fc01::1/64
 set interfaces ethernet eth3 address 192.168.253.1/24
 set interfaces ethernet eth3 address fc02::1/64
-set interfaces wireguard wg0 address 10.0.0.1/24
+set interfaces wireguard wg0 address 10.255.0.1/24
 set interfaces wireguard wg0 port 51820
 
 set service ssh disable-password-authentication
@@ -47,6 +47,7 @@ set service dns forwarding name-server 9.9.9.9
 set service dns forwarding dnssec validate
 set service dns forwarding allow-from 127.0.0.1/32
 set service dns forwarding allow-from 192.168.0.0/16
+set service dns forwarding allow-from 10.255.0.0/16
 set service tftp-server directory /config/tftp
 set service tftp-server listen-address 192.168.253.1