From ae8c959bd0b5537c6c54aceb1a4ee76e00953c3d Mon Sep 17 00:00:00 2001
From: ibizaman <ibizapeanut@gmail.com>
Date: Sun, 30 Jul 2023 17:44:50 -0700
Subject: [PATCH] restrict ldap UI to local network only

---
 README.md        | 1 +
 modules/ldap.nix | 8 ++++++++
 2 files changed, 9 insertions(+)

diff --git a/README.md b/README.md
index 9ca5b6b..9fd0142 100644
--- a/README.md
+++ b/README.md
@@ -10,6 +10,7 @@ services. Also, the design will be extendable to allow users to add services not
 
 - [ ] SSO with Authelia.
 - [X] LDAP server through lldap, it provides a nice Web UI.
+  - [X] Administrative UI only accessible from local network.
 - [X] Backup with Restic or BorgBackup
 - [X] Monitoring through Prometheus and Grafana.
   - [X] Export systemd services status.
diff --git a/modules/ldap.nix b/modules/ldap.nix
index 96cd742..4c02576 100644
--- a/modules/ldap.nix
+++ b/modules/ldap.nix
@@ -32,6 +32,12 @@ in
       description = "Sops file location";
       example = "secrets/ldap.yaml";
     };
+
+    localNetworkIPRange = lib.mkOption {
+      type = lib.types.str;
+      description = "Local network range, to restrict access to the UI to only those IPs.";
+      example = "192.168.1.1/24";
+    };
   };
 
   
@@ -61,6 +67,8 @@ in
         locations."/" = {
           extraConfig = ''
             proxy_set_header Host $host;
+            allow ${cfg.localNetworkIPRange};
+            deny all;
           '';
           proxyPass = "http://${toString config.services.lldap.settings.http_host}:${toString config.services.lldap.settings.http_port}/";
         };