cluster/services/ipfs: filter private addresses

2022-11-17 15:55:28 +01:00 · 2022-11-17 15:55:28 +01:00 · 3c8bbf3bde
commit 3c8bbf3bde
parent bafd0a0c83
1 changed files with 18 additions and 0 deletions
--- a/cluster/services/ipfs/node.nix
+++ b/cluster/services/ipfs/node.nix
@ -137,6 +137,24 @@ in
    serviceConfig = {
      Slice = "remotefshost.slice";
      AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+      IPAddressDeny = [
+        "10.0.0.0/8"
+        "100.64.0.0/10"
+        "169.254.0.0/16"
+        "172.16.0.0/12"
+        "192.0.0.0/24"
+        "192.0.2.0/24"
+        "192.168.0.0/16"
+        "198.18.0.0/15"
+        "198.51.100.0/24"
+        "203.0.113.0/24"
+        "240.0.0.0/4"
+        "100::/64"
+        "2001:2::/48"
+        "2001:db8::/32"
+        "fc00::/7"
+        "fe80::/10"
+      ];
    };
    postStart = "chmod 660 /run/ipfs/ipfs-api.sock";
  };