From b163c249fa3a56a083c7892162bdf12c83f2d66f Mon Sep 17 00:00:00 2001
From: Ivan Dimitrov <ivan@idimitrov.dev>
Date: Fri, 5 Apr 2024 17:54:34 +0300
Subject: [PATCH] restrict roundcube only to vpn

---
 mailserver/nginx/default.nix | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/mailserver/nginx/default.nix b/mailserver/nginx/default.nix
index b48a6b8..6372539 100644
--- a/mailserver/nginx/default.nix
+++ b/mailserver/nginx/default.nix
@@ -1,10 +1,16 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
 let
   webshiteConfig = ''
     add_header 'Referrer-Policy' 'origin-when-cross-origin';
     add_header X-Content-Type-Options nosniff;
     add_header Onion-Location http://sxfx23zafag4lixkb4s6zwih7ga5jnzfgtgykcerd354bvb6u7alnkid.onion;
   '';
+  restrictToVpn = ''
+    allow 10.0.0.2/32;
+    allow fdc9:281f:04d7:9ee9::2/128;
+    allow 10.0.0.3/32;
+    deny all;
+  '';
 in
 {
   services = {
@@ -32,6 +38,9 @@ in
           };
           extraConfig = webshiteConfig;
         };
+        "${config.mailserver.fqdn}" = {
+          extraConfig = restrictToVpn;
+        };
         "src.idimitrov.dev" = {
           enableACME = true;
           forceSSL = true;