machines/legosi: explicitely only expose xandikos over tailscale

author: Profpatsch <mail@profpatsch.de> 2022-06-26 15:55:14 +0200
committer: Profpatsch <mail@profpatsch.de> 2022-06-26 16:00:52 +0200
commit: 328a6cb75551837d0576f6a872ac9290482fdfc0 (patch)
tree: 49f10998ed6db38821a52164cf524bdf8a562177 /machines/profpatsch
parent: c76943d1c026319ebb1e88ba9aa42b09f9494856 (diff)
1 files changed, 11 insertions, 3 deletions
diff --git a/machines/profpatsch/legosi.nix b/machines/profpatsch/legosi.nix
index 2159fc15..2c7d4638 100644
--- a/machines/profpatsch/legosi.nix
+++ b/machines/profpatsch/legosi.nix
@@ -17,6 +17,7 @@ let
   qwerkyKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM3ORvMbdHaJfgPgMhWTqgVrP1L7kkvuETQpzl0IjP2G tc@windoof";
 
   xandikosPort = 2345;
+  tailscaleInterface = "tailscale0";
   tailscaleAddress = "100.89.52.54";
 
 in {
@@ -57,9 +58,13 @@ in {
       firewall = {
         allowedTCPPorts = [
           80 443
-          # only binds against tailscale subnet
-          xandikosPort
         ];
+
+        interfaces.${tailscaleInterface} = {
+          allowedTCPPorts = [
+            xandikosPort
+          ];
+        };
       };
 
       interfaces.ens3 = {
@@ -75,7 +80,10 @@ in {
       };
     };
 
-    services.tailscale.enable = true;
+    services.tailscale = {
+      enable = true;
+      interfaceName = tailscaleInterface;
+    };
 
     services.duplicity = {
       enable = true;
author	Profpatsch <mail@profpatsch.de>	2022-06-26 15:55:14 +0200
committer	Profpatsch <mail@profpatsch.de>	2022-06-26 16:00:52 +0200
commit	328a6cb75551837d0576f6a872ac9290482fdfc0 (patch)
tree	49f10998ed6db38821a52164cf524bdf8a562177 /machines/profpatsch
parent	c76943d1c026319ebb1e88ba9aa42b09f9494856 (diff)