m 1 wry: forbid external paste access

author: makefu <github@syntax-fehler.de> 2016-12-25 01:08:49 +0100
committer: makefu <github@syntax-fehler.de> 2016-12-25 01:08:49 +0100
commit: 1488a0c752eb368d03b95fe9069e47d9eb952ca0 (patch)
tree: 3cecb0aa0676373c1cbb13f6a3cfd2b0721567e0
parent: 47ade5b208c2fa2a1c4b96cbe753d2889a9da55e (diff)
1 files changed, 6 insertions, 6 deletions
diff --git a/makefu/1systems/wry.nix b/makefu/1systems/wry.nix
index 81ee37bbe..6290ff6e9 100644
--- a/makefu/1systems/wry.nix
+++ b/makefu/1systems/wry.nix
@@ -13,7 +13,7 @@ in {
       ../2configs/fs/CAC-CentOS-7-64bit.nix
       ../2configs/save-diskspace.nix
 
-      # ../2configs/bepasty-dual.nix
+      ../2configs/bepasty-dual.nix
 
       ../2configs/iodined.nix
       ../2configs/backup.nix
@@ -45,14 +45,14 @@ in {
                                random-emoji ];
   };
 
-  # bepasty to listen only on the correct interfaces
-  krebs.bepasty.servers.internal.nginx.listen  = [ "${internal-ip}:80" ];
-  krebs.bepasty.servers.external.nginx.listen  = [ "${external-ip}:80" "${external-ip}:443 ssl" ];
-
   # prepare graphs
   services.nginx.enable = true;
   krebs.retiolum-bootstrap.enable = true;
-
+  krebs.bepasty.servers."paste.r".nginx.extraConfig = ''
+    if ( $server_addr = "${external-ip}" ) {
+      return 403;
+    }
+  '';
   krebs.tinc_graphs = {
     enable = true;
     nginx = {
author	makefu <github@syntax-fehler.de>	2016-12-25 01:08:49 +0100
committer	makefu <github@syntax-fehler.de>	2016-12-25 01:08:49 +0100
commit	1488a0c752eb368d03b95fe9069e47d9eb952ca0 (patch)
tree	3cecb0aa0676373c1cbb13f6a3cfd2b0721567e0
parent	47ade5b208c2fa2a1c4b96cbe753d2889a9da55e (diff)