fix: allow incoming traffic to web server to bypass tailscale

2024-01-25 02:15:35 +01:00 · 2024-01-25 02:15:35 +01:00 · 7bb4b02d52
parent 41a222bc8f
commit 7bb4b02d52
2 changed files with 21 additions and 2 deletions
--- a/system/server.nix
+++ b/system/server.nix
@ -5,4 +5,22 @@

  # use xserver without display manager
  services.xserver.displayManager.startx.enable = true;
+
+  # Allow web server to be accessible when running Tailscale with exit node
+  networking.nftables.enable = true;
+  networking.nftables.ruleset = ''
+    table inet allow-incoming-traffic {
+      chain allow-incoming {
+        type filter hook input priority -100; policy accept;
+        tcp dport {80, 443} meta mark set 0x80000;
+        udp dport {80, 443} meta mark set 0x80000;
+      }
+
+      chain allow-outgoing {
+        type route hook output priority -100; policy accept;
+        tcp sport {80, 443} meta mark set 0x80000;
+        udp sport {80, 443} meta mark set 0x80000;
+      }
+    }
+  '';
 }
--- a/system/vpn.nix
+++ b/system/vpn.nix
@ -36,10 +36,11 @@ in {
    ${cfg.package}/bin/tailscale up ${lib.escapeShellArgs cfg.extraUpFlags}

    ${cfg.package}/bin/tailscale cert ${tailnetHost}
+    chown nginx:nginx /var/lib/tailscale/certs/${tailnetHost}.{key,crt}
  '';

  services.nginx.virtualHosts.${tailnetHost} = {
-    sslCertificate = "/var/lib/tailscale/certs/${tailnetHost}.key";
-    sslCertificateKey = "/var/lib/tailscale/certs/${tailnetHost}.crt";
+    sslCertificate = "/var/lib/tailscale/certs/${tailnetHost}.crt";
+    sslCertificateKey = "/var/lib/tailscale/certs/${tailnetHost}.key";
  };
 }