m 1 wry: forbid external paste access

author: makefu <github@syntax-fehler.de> 2016-12-25 01:08:49 +0100
committer: makefu <github@syntax-fehler.de> 2016-12-25 01:08:49 +0100
commit: 6b4f2995f48e4a72ac56692045829c0ea754a6ab (patch)
tree: bdb859a52178a59cba3c91c2e4b2b5568985548c /1systems
parent: dec5f927d6bde3b8f6b73a3ebd515928407aeb9e (diff)
1 files changed, 6 insertions, 6 deletions
diff --git a/1systems/wry.nix b/1systems/wry.nix
index 81ee37bbe..6290ff6e9 100644
--- a/1systems/wry.nix
+++ b/1systems/wry.nix
@@ -13,7 +13,7 @@ in {
       ../2configs/fs/CAC-CentOS-7-64bit.nix
       ../2configs/save-diskspace.nix
 
-      # ../2configs/bepasty-dual.nix
+      ../2configs/bepasty-dual.nix
 
       ../2configs/iodined.nix
       ../2configs/backup.nix
@@ -45,14 +45,14 @@ in {
                                random-emoji ];
   };
 
-  # bepasty to listen only on the correct interfaces
-  krebs.bepasty.servers.internal.nginx.listen  = [ "${internal-ip}:80" ];
-  krebs.bepasty.servers.external.nginx.listen  = [ "${external-ip}:80" "${external-ip}:443 ssl" ];
-
   # prepare graphs
   services.nginx.enable = true;
   krebs.retiolum-bootstrap.enable = true;
-
+  krebs.bepasty.servers."paste.r".nginx.extraConfig = ''
+    if ( $server_addr = "${external-ip}" ) {
+      return 403;
+    }
+  '';
   krebs.tinc_graphs = {
     enable = true;
     nginx = {
author	makefu <github@syntax-fehler.de>	2016-12-25 01:08:49 +0100
committer	makefu <github@syntax-fehler.de>	2016-12-25 01:08:49 +0100
commit	6b4f2995f48e4a72ac56692045829c0ea754a6ab (patch)
tree	bdb859a52178a59cba3c91c2e4b2b5568985548c /1systems
parent	dec5f927d6bde3b8f6b73a3ebd515928407aeb9e (diff)