From 5dc68117c722fc24e4cda2904f014bf5389ac74c Mon Sep 17 00:00:00 2001
From: Tigor Hutasuhut <tigor.hutasuhut@gmail.com>
Date: Sun, 28 Jul 2024 21:05:39 +0700
Subject: [PATCH] cockpit: now remote access is denied by default. Require
 wireguard to access cockpit.

---
 system/services/cockpit.nix | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/system/services/cockpit.nix b/system/services/cockpit.nix
index 2aaee32..5ab3ca4 100644
--- a/system/services/cockpit.nix
+++ b/system/services/cockpit.nix
@@ -8,7 +8,11 @@ in
     environment.systemPackages = mkIf config.profile.podman.enable [
       (pkgs.callPackage ../packages/cockpit-podman.nix { })
     ];
-    services.caddy.virtualHosts."cockpit.tigor.web.id".extraConfig = ''
+    services.caddy.virtualHosts."cockpit.tigor.web.id".extraConfig = /*caddyfile*/ ''
+      @denied not remote_ip private_ranges
+
+      respond @denied "Access denied" 403
+
       reverse_proxy 0.0.0.0:9090
     '';
     services.udisks2.enable = true;