From d48222784bb0880f706d52f51cd640dc4e8e64a3 Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Mon, 10 Jul 2023 11:52:51 +0200
Subject: [PATCH] restrict mailman to university networks

---
 modules/mailman.nix | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/modules/mailman.nix b/modules/mailman.nix
index 8e111e3..9fc73dc 100644
--- a/modules/mailman.nix
+++ b/modules/mailman.nix
@@ -31,5 +31,13 @@
   services.nginx.virtualHosts."lists.${config.fsr.domain}" = {
     enableACME = true;
     forceSSL = true;
+    # deny non-uni access to prevent sending dozens of confirm emails
+    locations."/mailman3".extraConfig = ''
+      allow 141.30.0.0/16;
+      allow 141.76.0.0/16;
+      allow 172.16.0.0/16;
+      deny all;
+      uwsgi_pass unix:/run/mailman-web.socket;
+    '';
   };
 }