Christoph Heiss
ede4400e9e
All checks were successful
flake / build (push) Successful in 2m57s
Signed-off-by: Christoph Heiss <christoph@c8h4.io>
86 lines
2.2 KiB
Nix
86 lines
2.2 KiB
Nix
{ config, lib, pkgs, secrets, ... }:
|
|
|
|
{
|
|
sops.secrets."acme/token" = {
|
|
sopsFile = ../secrets/sops/acme.yaml;
|
|
owner = "acme";
|
|
inherit (config.security.acme.defaults) group;
|
|
mode = "0440";
|
|
};
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
enableReload = true;
|
|
package = pkgs.nginxMainline;
|
|
recommendedBrotliSettings = true;
|
|
recommendedGzipSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedProxySettings = true;
|
|
recommendedTlsSettings = true;
|
|
recommendedZstdSettings = true;
|
|
clientMaxBodySize = lib.mkDefault "16M";
|
|
appendHttpConfig = ''
|
|
# avoid hitting the disk
|
|
proxy_max_temp_file_size 0;
|
|
'';
|
|
};
|
|
|
|
users.users.nginx.extraGroups = [ config.security.acme.defaults.group ];
|
|
|
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
defaults = {
|
|
email = "contact@christoph-heiss.at";
|
|
dnsProvider = "hetzner";
|
|
dnsResolver = "hydrogen.ns.hetzner.com:53";
|
|
reloadServices = [ "nginx" ];
|
|
environmentFile = secrets."acme/token".path;
|
|
};
|
|
certs."c8h4.io" = {
|
|
domain = "*.c8h4.io";
|
|
extraDomainNames = [ "c8h4.io" ];
|
|
};
|
|
};
|
|
|
|
systemd.services.nginx = {
|
|
after = [ "network-online.target" ];
|
|
wants = [ "network-online.target" ];
|
|
};
|
|
|
|
services.fail2ban.jails = lib.mkIf config.services.fail2ban.enable {
|
|
apache-badbots.settings = {
|
|
enabled = true;
|
|
backend = "pyinotify";
|
|
port = "http,https";
|
|
filter = "apache-badbots";
|
|
logpath = "/var/log/nginx/access.log";
|
|
maxretry = 1;
|
|
bantime = "72h";
|
|
};
|
|
disrespectful-crawlers = {
|
|
filter = {
|
|
Definition = {
|
|
badcrawlers = ".*(Amazonbot|Bytespider).*";
|
|
failregex =
|
|
''^<HOST> -.*"(GET|POST|HEAD).*HTTP.*"(?:%(badcrawlers)s)"$'';
|
|
ignoreregex = "";
|
|
datepattern = ''
|
|
^[^\[]*\[({DATE})
|
|
{^LN-BEG}'';
|
|
};
|
|
};
|
|
settings = {
|
|
enabled = true;
|
|
backend = "pyinotify";
|
|
port = "http,https";
|
|
filter = "disrespectful-crawlers";
|
|
logpath = "/var/log/nginx/access.log";
|
|
maxretry = 1;
|
|
bantime = "72h";
|
|
};
|
|
};
|
|
};
|
|
}
|