From 655960ee3ccf394112dfc8a1a882f18abb5ea979 Mon Sep 17 00:00:00 2001
From: Tigor Hutasuhut <tigor.hutasuhut@gmail.com>
Date: Sun, 28 Jul 2024 21:17:35 +0700
Subject: [PATCH] router: requires wireguard to access the router page from
 remote.

---
 secrets/caddy_reverse_proxy.yaml | 21 ---------------------
 system/services/caddy.nix        | 15 +++++++--------
 2 files changed, 7 insertions(+), 29 deletions(-)
 delete mode 100644 secrets/caddy_reverse_proxy.yaml

diff --git a/secrets/caddy_reverse_proxy.yaml b/secrets/caddy_reverse_proxy.yaml
deleted file mode 100644
index 70cb4a8..0000000
--- a/secrets/caddy_reverse_proxy.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
-router: ENC[AES256_GCM,data:AulD1VVGGYhEEnHEr8TSYLfMyA14BfTUF3QKxlKpbH7G5Eo/CGZaTSQYBzehgmNZKVAZAG1Efe60aSNhlk1ZlGxMnODGw1wV/dAnuTrqd7ixEE/hz9hO1qr1daWRmb73jQpw3XmFeAHBl4XnLIhdLFNXKEcgZBJ7piw5ZXDpG5EhaUrPhKpRMQb+yPkA9eBTI023iFOiJ8du1TF0RuqTUExUSCkcVaNgpn0pwd5tgnM/gAg7SJ0MGNRPaVL0Bq2S5e6SSO90mFcXPEQDk/1jy3Ml7ZFFQ9GrN612X3j2lYLKcwfBH5327pU=,iv:UBxOzdVt8Nof+I/H2wY0Tng8rrKZyt3fPRVLzygxIuo=,tag:TIWvIFy2QGkP1qMlnnMlbQ==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1kruum2varzua7w5n6n52vhwyek2arc685rhcwt0u7k2jf5mecsjslkl9ll
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhK1lrMkJlNmJwK3ZvSjhz
-            VnFQa2xMdEt0dU9pRlQxbWZIT09ObVI2cUNBCkx2UnBQOTFRYkhXR0pyWGgxdVIr
-            R3NvZDBTU3lIY3RHZkxKRDQzRWhmYUUKLS0tIDJtNFc2VzRNQVdxZ0kxME91Um9p
-            OTBPaGdUZ1ZueUlKMVlhOHBreFV6OVEKBhcqTTA9Vufnn/WAhR5zb08Nsn48zmD2
-            +bdJf+0B68Z57Q/47fNjvXclqLdDCWToTlIjOTnzVH2oXOWKQQxj6g==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-13T13:48:11Z"
-    mac: ENC[AES256_GCM,data:LjWV/1NPeN58VHH/lgHTukHHDu0zfqCCLeFoVS4yN91IkjdvvqwvTD74GDigw7lm++6LWILjF0zIlryUHJKg4T+Xztsj/kRntVuhSTXsDUU9mu/AOCLu5P7k4fn+N9rAMh5ML9ukeU+ZxTaOHLfezYMLv2c+01B1iMfjZ2qJ9Q4=,iv:Dh4WG98sfRUrTYnbfrZt0gX0co8lI8DUpdxFMy165GI=,tag:9Nn9UcKijyu6RhUjiUDd4g==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.8.1
diff --git a/system/services/caddy.nix b/system/services/caddy.nix
index bc09b1d..6a6df5c 100644
--- a/system/services/caddy.nix
+++ b/system/services/caddy.nix
@@ -7,15 +7,14 @@ in
   config = mkIf cfg.enable {
     services.caddy = {
       enable = true;
-      extraConfig = ''
-        import /etc/caddy/sites-enabled/*
-      '';
     };
 
-    sops.secrets."router" = {
-      sopsFile = ../../secrets/caddy_reverse_proxy.yaml;
-      path = "/etc/caddy/sites-enabled/router";
-      mode = "0444";
-    };
+    services.caddy.virtualHosts."router.tigor.web.id".extraConfig = ''
+      @denied not remote_ip private_ranges 
+
+      respond @denied "Access denied" 403
+
+      reverse_proxy 192.168.100.1
+    '';
   };
 }