cluster/services/ipfs: filter private addresses

cluster/services/ipfs/node.nix

@@ -137,6 +137,24 @@ in
     serviceConfig = {
       Slice = "remotefshost.slice";
       AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+      IPAddressDeny = [
+        "10.0.0.0/8"
+        "100.64.0.0/10"
+        "169.254.0.0/16"
+        "172.16.0.0/12"
+        "192.0.0.0/24"
+        "192.0.2.0/24"
+        "192.168.0.0/16"
+        "198.18.0.0/15"
+        "198.51.100.0/24"
+        "203.0.113.0/24"
+        "240.0.0.0/4"
+        "100::/64"
+        "2001:2::/48"
+        "2001:db8::/32"
+        "fc00::/7"
+        "fe80::/10"
+      ];
     };
     postStart = "chmod 660 /run/ipfs/ipfs-api.sock";
   };