From 9795ed55b8953382fb6d6c3175d4dfb24a6a8116 Mon Sep 17 00:00:00 2001
From: Ember 'n0emis' Keske <git@n0emis.eu>
Date: Wed, 20 Jul 2022 23:58:11 +0200
Subject: [PATCH] nerd: only allow export from services-net

---
 hosts/nerd/nerd.nix | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/hosts/nerd/nerd.nix b/hosts/nerd/nerd.nix
index dff3203..469e6f0 100644
--- a/hosts/nerd/nerd.nix
+++ b/hosts/nerd/nerd.nix
@@ -79,8 +79,16 @@
     enable = true;
     virtualHosts."nerd.bula22.de" = {
       extraConfig = ''
+        @disallow_export {
+          not remote_ip 10.42.10.0/24 2a01:4f8:1c0c:8221::/64
+          path /export.json*
+        }
+
         route {
           file_server /static/*
+          respond @disallow_export 403 {
+            close
+          }
           reverse_proxy * http://127.0.0.1:10510
         }