nixos-config/services/nginx.nix

{ config, lib, pkgs, secrets, ... }:

{
  sops.secrets."acme/token" = {
    sopsFile = ../secrets/sops/acme.yaml;
    owner = "acme";
    inherit (config.security.acme.defaults) group;
    mode = "0440";
  };

  services.nginx = {
    enable = true;
    enableReload = true;
    package = pkgs.nginxMainline;
    recommendedBrotliSettings = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    recommendedZstdSettings = true;
    clientMaxBodySize = lib.mkDefault "16M";
    appendHttpConfig = ''
      # avoid hitting the disk
      proxy_max_temp_file_size 0;
    '';
  };

  users.users.nginx.extraGroups = [ config.security.acme.defaults.group ];

  networking.firewall.allowedTCPPorts = [ 80 443 ];

  security.acme = {
    acceptTerms = true;
    defaults = {
      email = "contact@christoph-heiss.at";
      dnsProvider = "hetzner";
      dnsResolver = "hydrogen.ns.hetzner.com:53";
      reloadServices = [ "nginx" ];
      environmentFile = secrets."acme/token".path;
    };
    certs."c8h4.io" = {
      domain = "*.c8h4.io";
      extraDomainNames = [ "c8h4.io" ];
    };
  };

  systemd.services.nginx = {
    after = [ "network-online.target" ];
    wants = [ "network-online.target" ];
  };

  services.fail2ban.jails = lib.mkIf config.services.fail2ban.enable {
    apache-badbots.settings = {
      enabled = true;
      backend = "pyinotify";
      port = "http,https";
      filter = "apache-badbots";
      logpath = "/var/log/nginx/access.log";
      maxretry = 1;
      bantime = "72h";
    };
    disrespectful-crawlers = {
      filter = {
        Definition = {
          badcrawlers = ".*(Amazonbot|Bytespider).*";
          failregex =
            ''^<HOST> -.*"(GET|POST|HEAD).*HTTP.*"(?:%(badcrawlers)s)"$'';
          ignoreregex = "";
          datepattern = ''
            ^[^\[]*\[({DATE})
                          {^LN-BEG}'';
        };
      };
      settings = {
        enabled = true;
        backend = "pyinotify";
        port = "http,https";
        filter = "disrespectful-crawlers";
        logpath = "/var/log/nginx/access.log";
        maxretry = 1;
        bantime = "72h";
      };
    };
  };
}