deny all rules

modules/users/overseer/services/bar-assistant.nix

@@ -37,6 +37,11 @@ in
         enable = true;
         recommendedProxySettings = true;
         virtualHosts = {
+          extraConfig = ''
+            allow 192.168.0.0/16;
+            allow 10.8.0.0/24;
+            deny all;
+          '';
           "bar.wanderingcrow.net" = {
             forceSSL = true;
             useACMEHost = "bar.wanderingcrow.net";

modules/users/overseer/services/bookstack.nix

@@ -35,6 +35,11 @@ in
         appKeyFile = config.sops.secrets."bookstack/key".path;
         nginx = {
           forceSSL = true;
+          extraConfig = ''
+            allow 192.168.0.0/16;
+            allow 10.8.0.0/24;
+            deny all;
+          '';
           useACMEHost = "bookstack.wanderingcrow.net";
         };
       };

modules/users/overseer/services/grocy.nix

@@ -7,6 +7,11 @@ lib.mkIf config.user.overseer.enable {
   services.nginx.virtualHosts."grocy.wanderingcrow.net" = {
     forceSSL = true;
     useACMEHost = "grocy.wanderingcrow.net";
+    extraConfig = ''
+      allow 192.168.0.0/16;
+      allow 10.8.0.0/24;
+      deny all;
+    '';
   };
 
   services.grocy = {

modules/users/overseer/services/homebox.nix

@@ -26,6 +26,11 @@ lib.mkIf config.user.overseer.enable {
           forceSSL = true;
           useACMEHost = "homebox.wanderingcrow.net";
           locations."/" = {
+            extraConfig = ''
+              allow 192.168.0.0/16;
+              allow 10.8.0.0/24;
+              deny all;
+            '';
             proxyPass = "http://localhost:7745";
             proxyWebsockets = true;
           };

modules/users/overseer/services/homepage.nix

@@ -24,6 +24,7 @@ lib.mkIf config.user.overseer.enable {
         locations."/" = {
           extraConfig = ''
             allow 192.168.0.0/16;
+            allow 10.8.0.0/24;
             deny all;
           '';
           proxyPass = "http://localhost:8082";