Make vaultwarden VPN only

The first service to go dark...
2024-03-21 23:20:27 +00:00 · 2024-03-21 23:20:27 +00:00 · b2656bdf43
commit b2656bdf43
parent 124b83526d
3 changed files with 11 additions and 3 deletions
--- a/ansible/roles/traefik/files/file-provider-main.yml
+++ b/ansible/roles/traefik/files/file-provider-main.yml
@ -10,7 +10,15 @@ http:
          Permissions-Policy: interest-cohort=()

    tailscale-only:
-      ipAllowList:
+      ipWhiteList:
        sourceRange:
          - "{{ tailscale_cidr }}"
          - "{{ tailscale_cidr_ipv6 }}"
+
+    private-access:
+      ipWhiteList:
+        sourceRange:
+          - "{{ tailscale_cidr }}"
+          - "{{ tailscale_cidr_ipv6 }}"
+          - "{{ nebula.cidr }}"
+          - "{{ pve_hosts.internal_cidr }}"
--- a/ansible/roles/vaultwarden/files/docker-compose.yml
+++ b/ansible/roles/vaultwarden/files/docker-compose.yml
@ -22,7 +22,7 @@ services:
      - traefik.http.middlewares.vaultwarden-ratelimit.ratelimit.average=5
      - traefik.http.middlewares.vaultwarden-ratelimit.ratelimit.burst=200

-      - traefik.http.routers.vaultwarden.middlewares=vaultwarden-ratelimit
+      - traefik.http.routers.vaultwarden.middlewares=vaultwarden-ratelimit,tailscale-only@file
    environment:
      - SIGNUPS_ALLOWED=false
      - DOMAIN=https://vaultwarden.jakehoward.tech
--- a/terraform/jakehoward.tech.tf
+++ b/terraform/jakehoward.tech.tf
@ -143,7 +143,7 @@ resource "cloudflare_record" "jakehowardtech_grafana" {
 resource "cloudflare_record" "jakehowardtech_vaultwarden" {
  zone_id = cloudflare_zone.jakehowardtech.id
  name    = "vaultwarden"
-  value   = cloudflare_record.sys_domain_pve.hostname
+  value   = cloudflare_record.sys_domain_private.hostname
  type    = "CNAME"
  ttl     = 1
 }