From b4fac5ab8c85916b3c331cf2e7d23f881d561905 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aleix=20Bon=C3=A9?= <aleix.boneribo@bsc.es>
Date: Tue, 7 Oct 2025 11:15:56 +0200
Subject: [PATCH] Set X-Private header for private derivations

---
 src/Main.hs | 36 +-----------------------------------
 1 file changed, 1 insertion(+), 35 deletions(-)

diff --git a/src/Main.hs b/src/Main.hs
index 3dddc1e..186413d 100644
--- a/src/Main.hs
+++ b/src/Main.hs
@@ -12,7 +12,6 @@ import Control.Monad.IO.Class (liftIO)
 import Data.ByteString (ByteString)
 import Data.CharSet.ByteSet (ByteSet(..))
 import Data.Function ((&))
-import Data.Word (Word8)
 import Network.Socket (SockAddr(..))
 import Network.Wai (Application)
 import Nix (NoSuchPath(..), PathInfo(..))
@@ -58,20 +57,6 @@ validHashPartBytes =
         <>  [ 0x76 .. 0x7A ]  -- vwxyz
         )
 
-type HostAddressTuple = (Word8, Word8, Word8, Word8)
-
-isInWhitelist :: Socket.HostAddress -> Bool
-isInWhitelist host = any (uncurry (inRange $ Socket.hostAddressToTuple host)) allowedIPs
-    where
-        allowedIPs :: [(HostAddressTuple, HostAddressTuple)]
-        allowedIPs = [
-                ((127,0,0,1),    (127,0,0,1)),
-                ((10,0,0,1),     (10,255,255,254)),
-                ((192,168,72,1), (192,168,79,254))
-            ]
-
-        inRange ip a b = ip >= a && ip <= b
-
 validHashPart :: ByteString -> Bool
 validHashPart hash = ByteString.all (`ByteSet.member` validHashPartBytes) hash
 
@@ -271,27 +256,8 @@ makeApplication ApplicationOptions{..} request respond = do
                 let privateFilePath = ByteString.Char8.unpack storePath ++ "/nix-support/private"
                 isPrivate <- liftIO $ Directory.doesPathExist privateFilePath
 
-                let isLocal = case Wai.remoteHost request of
-                                 SockAddrInet _ host -> isInWhitelist host
-                                 _ -> False
-
-                traceM $ show (Wai.remoteHost request, isLocal)
                 traceM $ show (privateFilePath, isPrivate)
 
-                Monad.when (isPrivate && not isLocal) do
-                    let headers = [ ("Content-Type", "text/plain") ]
-
-                    let builder = "Forbidden.\n"
-
-                    let response =
-                            Wai.responseBuilder
-                                    Types.status403
-                                    headers
-                                    builder
-
-                    done response
-
-
                 let streamingBody write flush = do
                        result <- Nix.dumpPath hashPart callback
 
@@ -303,7 +269,7 @@ makeApplication ApplicationOptions{..} request respond = do
                             () <- write builder
                             flush
 
-                let headers = [ ("Content-Type", "text/plain") ]
+                let headers = [ ("Content-Type", "text/plain") ] <> [("X-Private", "true") | isPrivate]
 
                 let response =
                         Wai.responseStream Types.status200 headers streamingBody