Add initial nginx container

2022-05-31 21:25:51 +01:00
parent e79fd4234c
commit 11dbc01ba0
11 changed files with 111 additions and 24 deletions
--- a/nixos/boxes/colony/vms/estuary/default.nix
+++ b/nixos/boxes/colony/vms/estuary/default.nix
@@ -146,14 +146,26 @@
                  enable = true;
                  externalInterface = "wan";
                };
-                extraRules = ''
+                extraRules =
+                let
+                  aa = allAssignments;
+                  matchInet = rule: sys: ''
+                    ip daddr ${aa."${sys}".internal.ipv4.address} ${rule}
+                    ip6 daddr ${aa."${sys}".internal.ipv6.address} ${rule}
+                  '';
+                in
+                ''
                  table inet filter {
                    chain routing-tcp {
                      # Safe enough to allow all SSH
                      tcp dport ssh accept
+
+                      ${matchInet "tcp dport { http, https } accept" "middleman"}
+
+                      return
                    }
                    chain routing-udp {
-
+                      return
                    }
                    chain filter-routing {
                      tcp flags & (fin|syn|rst|ack) == syn ct state new jump routing-tcp