diff --git a/machines/storage/s0/default.nix b/machines/storage/s0/default.nix index 4cfc89b..b4c65dd 100644 --- a/machines/storage/s0/default.nix +++ b/machines/storage/s0/default.nix @@ -194,9 +194,6 @@ (mkVirtualHost "music.s0.neet.dev" "http://localhost:4533") (mkVirtualHost "jellyfin.s0.neet.dev" "http://localhost:8096") (mkVirtualHost "s0.neet.dev" "http://localhost:56815") - (mkVirtualHost "ha.s0.neet.dev" "http://localhost:8123") # home assistant - (mkVirtualHost "esphome.s0.neet.dev" "http://localhost:6052") - (mkVirtualHost "zigbee.s0.neet.dev" "http://localhost:55834") { # Landing page LAN redirect "s0" = { @@ -204,6 +201,11 @@ redirectCode = 302; globalRedirect = "s0.neet.dev"; }; + } + (mkVirtualHost "ha.s0.neet.dev" "http://localhost:8123") # home assistant + (mkVirtualHost "esphome.s0.neet.dev" "http://localhost:6052") + (mkVirtualHost "zigbee.s0.neet.dev" "http://localhost:55834") + { "frigate.s0.neet.dev" = { # Just configure SSL, frigate module configures the rest of nginx useACMEHost = "s0.neet.dev"; @@ -212,19 +214,6 @@ } ]; - # Problem #1: Keeping certain programs from being accessed from certain external networks/VLANs - # Solution #1: Isolate that service in a container system that automatically fowards the ports to the right network interface(s) - # Solution #2: Don't open the firewall for these services, manually open the ports instead for the specific network interface(s) (trickier and easy to miss ports or ports can change) - # Untrusted network list: - # - VLANs [cameras] - - # Problem #2: Untrusted internal services. Prevent them from accessing certain internal services (usually key unauth'd services like frigate) - # Solution #1: Isolate the untrusted services into their own container - # Untrusted services list: - # - Unifi? (it already has access to the cameras anyway?) - # - torrenting, *arr (worried about vulns) - - tailscaleAuth = { enable = true; virtualHosts = [