From 328a6cb75551837d0576f6a872ac9290482fdfc0 Mon Sep 17 00:00:00 2001
From: Profpatsch <mail@profpatsch.de>
Date: Sun, 26 Jun 2022 15:55:14 +0200
Subject: machines/legosi: explicitely only expose xandikos over tailscale

---
 machines/profpatsch/legosi.nix | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

(limited to 'machines/profpatsch')

diff --git a/machines/profpatsch/legosi.nix b/machines/profpatsch/legosi.nix
index 2159fc15..2c7d4638 100644
--- a/machines/profpatsch/legosi.nix
+++ b/machines/profpatsch/legosi.nix
@@ -17,6 +17,7 @@ let
   qwerkyKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM3ORvMbdHaJfgPgMhWTqgVrP1L7kkvuETQpzl0IjP2G tc@windoof";
 
   xandikosPort = 2345;
+  tailscaleInterface = "tailscale0";
   tailscaleAddress = "100.89.52.54";
 
 in {
@@ -57,9 +58,13 @@ in {
       firewall = {
         allowedTCPPorts = [
           80 443
-          # only binds against tailscale subnet
-          xandikosPort
         ];
+
+        interfaces.${tailscaleInterface} = {
+          allowedTCPPorts = [
+            xandikosPort
+          ];
+        };
       };
 
       interfaces.ens3 = {
@@ -75,7 +80,10 @@ in {
       };
     };
 
-    services.tailscale.enable = true;
+    services.tailscale = {
+      enable = true;
+      interfaceName = tailscaleInterface;
+    };
 
     services.duplicity = {
       enable = true;
-- 
cgit 1.4.1