Allow only exposing services over Tailscale

This works using public DNS, so doesn't need Tailscale's magic DNS to override my local.

ansible/group_vars/all/tailscale.yml

@@ -2,5 +2,6 @@
 tailscale_up_skip: true
 
 tailscale_cidr: 100.64.0.0/24  # It's really /10, but I don't use that many IPs
+tailscale_cidr_ipv6: fd7a:115c:a1e0::/120  # It's really /48, but I don't use that many IPs
 
 tailscale_port: 41641

ansible/group_vars/all/vps-hosts.yml

@@ -1,3 +1,5 @@
 "vps_hosts":
   "casey_ip": "213.219.38.11"
+  "private_ipv6_marker": "2a01:7e00:e000:7f7::1"
+  "private_ipv6_range": "2a01:7e00:e000:7f7::1/128"
   "walker_ip": "192.248.168.230"

ansible/roles/gateway/files/nginx.conf

@@ -21,6 +21,20 @@ map $ssl_preread_server_name $gateway_destination {
 server {
     listen 443;
     listen 8448;
+    listen [::]:443;
+    listen [::]:8448;
     proxy_pass $gateway_destination;
     proxy_protocol on;
 }
+
+server {
+    listen [{{ vps_hosts.private_ipv6_marker }}]:443;
+    listen [{{ vps_hosts.private_ipv6_marker }}]:8448;
+
+    access_log off;
+
+    deny all;
+
+    # This is never used, but need to keep nginx happy
+    proxy_pass 127.0.0.1:80;
+}

ansible/roles/ingress/files/nginx.conf

@@ -9,6 +9,8 @@ access_log /var/log/nginx/access.log access;
 server {
     listen 443;
     listen 8448;
+    listen [::]:443;
+    listen [::]:8448;
     proxy_pass {{ pve_hosts.docker.ip }}:443;
     proxy_protocol on;
     proxy_socket_keepalive on;

ansible/roles/pve_docker/files/whoami/docker-compose.yml

@@ -7,6 +7,9 @@ services:
     labels:
       - traefik.enable=true
       - traefik.http.routers.whoami.rule=Host(`whoami.theorangeone.net`) || Host(`whoami-cdn.theorangeone.net`)
+
+      - traefik.http.routers.whoami-private.rule=Host(`whoami-private.theorangeone.net`)
+      - traefik.http.routers.whoami-private.middlewares=tailscale-only@file
     networks:
       - default
       - traefik

ansible/roles/traefik/files/file-provider-main.yml

@@ -8,3 +8,9 @@ http:
       headers:
         customResponseHeaders:
           Permissions-Policy: interest-cohort=()
+
+    tailscale-only:
+      ipAllowList:
+        sourceRange:
+          - "{{ tailscale_cidr }}"
+          - "{{ tailscale_cidr_ipv6 }}"

terraform/casey_vps.tf

@@ -6,6 +6,16 @@ resource "linode_instance" "casey" {
   private_ip = true
 }
 
+resource "linode_ipv6_range" "casey_extra" {
+  linode_id = linode_instance.casey.id
+  prefix_length = 64
+}
+
+locals {
+  private_ipv6_marker = cidrhost(linode_ipv6_range.casey_extra.id, 1)
+  private_ipv6_range  = cidrsubnet(linode_ipv6_range.casey_extra.id, 64, 1)
+}
+
 resource "linode_firewall" "casey" {
   label           = "casey"
   linodes         = [linode_instance.casey.id]

terraform/context.tf

@@ -2,6 +2,8 @@ resource "local_file" "hosts" {
   content = yamlencode({
     vps_hosts : {
       casey_ip : linode_instance.casey.ip_address,
+      private_ipv6_marker : local.private_ipv6_marker,
+      private_ipv6_range : local.private_ipv6_range,
       walker_ip : vultr_instance.walker.main_ip,
     }
   })

terraform/sys_domains.tf

@@ -37,3 +37,11 @@ resource "cloudflare_record" "sys_domain_pve" {
   type    = "A"
   ttl     = 1
 }
+
+resource "cloudflare_record" "sys_domain_private" {
+  zone_id = cloudflare_zone.theorangeonenet.id
+  name    = "private.sys"
+  value   = local.private_ipv6_marker
+  type    = "AAAA"
+  ttl     = 1
+}

terraform/theorangeone.net.tf

@@ -26,6 +26,14 @@ resource "cloudflare_record" "theorangeonenet_whoami_cdn" {
   ttl     = 1
 }
 
+resource "cloudflare_record" "theorangeonenet_whoami_private" {
+  zone_id = cloudflare_zone.theorangeonenet.id
+  name    = "whoami-private"
+  value   = cloudflare_record.sys_domain_private.hostname
+  type    = "CNAME"
+  ttl     = 1
+}
+
 resource "cloudflare_record" "theorangeonenet_mx1" {
   zone_id  = cloudflare_zone.theorangeonenet.id
   name     = "@"