server_config/sys/srv/net.nix

{
  lib,
  pkgs,
  ...
}:
with lib; {
  networking = {
    nftables.enable = true;
    firewall = {
      enable = true;
      allowedTCPPorts = [80 443];
    };
    domain = "posixlycorrect.com";
  };

  # ver https://nixos.org/manual/nixos/stable/index.html#module-security-acme-nginx
  security.acme = {
    acceptTerms = true;
    defaults.email = "fabian@posixlycorrect.com";
  };

  services = {
    nginx = {
      enable = true;
      recommendedGzipSettings = true;
      recommendedOptimisation = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;
      logError = "/var/log/nginx/error.log";
      clientMaxBodySize = "99M";
      virtualHosts = {
        "posixlycorrect.com" = {
          forceSSL = true;
          enableACME = true;
          root = "${pkgs.local.homepage}";
        };
      };
    };
    fail2ban = {
      enable = true;
      bantime = "10m";
      ignoreIP = ["37.205.12.34"]; # Never ban the server's own IP
      bantime-increment = {
        enable = true;
        formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
        maxtime = "48h"; # Do not ban for more than 48h
        rndtime = "10m";
        overalljails = true; # Calculate the bantime based on all the violations
      };
      jails = {
        # https://discourse.nixos.org/t/fail2ban-with-nginx-and-authelia/31419
        nginx-botsearch.settings = {
          # Usar log en vez de journalctl
          # TODO: Pasar todo a systemd?
          backend = "pyinotify";
          logpath = "/var/log/nginx/*.log";
          journalmatch = "";
        };
        nginx-bad-request.settings = {
          backend = "pyinotify";
          logpath = "/var/log/nginx/*.log";
          journalmatch = "";
          maxretry = 10;
        };
      };
    };
  };
}
initial public commit 2024-08-23 21:01:33 +02:00			`{`
add alejandra formatter 2024-08-24 09:52:56 +02:00			`lib,`
			`pkgs,`
			`...`
			`}:`
			`with lib; {`
initial public commit 2024-08-23 21:01:33 +02:00			`networking = {`
			`nftables.enable = true;`
			`firewall = {`
			`enable = true;`
add alejandra formatter 2024-08-24 09:52:56 +02:00			`allowedTCPPorts = [80 443];`
initial public commit 2024-08-23 21:01:33 +02:00			`};`
			`domain = "posixlycorrect.com";`
			`};`

			`# ver https://nixos.org/manual/nixos/stable/index.html#module-security-acme-nginx`
			`security.acme = {`
			`acceptTerms = true;`
			`defaults.email = "fabian@posixlycorrect.com";`
			`};`

			`services = {`
			`nginx = {`
			`enable = true;`
			`recommendedGzipSettings = true;`
			`recommendedOptimisation = true;`
			`recommendedProxySettings = true;`
			`recommendedTlsSettings = true;`
			`logError = "/var/log/nginx/error.log";`
			`clientMaxBodySize = "99M";`
			`virtualHosts = {`
			`"posixlycorrect.com" = {`
			`forceSSL = true;`
			`enableACME = true;`
			`root = "${pkgs.local.homepage}";`
			`};`
			`};`
			`};`
			`fail2ban = {`
			`enable = true;`
			`bantime = "10m";`
add alejandra formatter 2024-08-24 09:52:56 +02:00			`ignoreIP = ["37.205.12.34"]; # Never ban the server's own IP`
initial public commit 2024-08-23 21:01:33 +02:00			`bantime-increment = {`
			`enable = true;`
			`formula = "ban.Time * math.exp(float(ban.Count+1)banFactor)/math.exp(1banFactor)";`
			`maxtime = "48h"; # Do not ban for more than 48h`
			`rndtime = "10m";`
			`overalljails = true; # Calculate the bantime based on all the violations`
			`};`
			`jails = {`
			`# https://discourse.nixos.org/t/fail2ban-with-nginx-and-authelia/31419`
			`nginx-botsearch.settings = {`
			`# Usar log en vez de journalctl`
			`# TODO: Pasar todo a systemd?`
			`backend = "pyinotify";`
			`logpath = "/var/log/nginx/*.log";`
			`journalmatch = "";`
			`};`
			`nginx-bad-request.settings = {`
			`backend = "pyinotify";`
			`logpath = "/var/log/nginx/*.log";`
			`journalmatch = "";`
			`maxretry = 10;`
			`};`
			`};`
			`};`
			`};`
			`}`