nix_config/sys/platforms/vps/srv/net.nix

{
  config,
  lib,
  pkgs,
  ...
}:
with lib; let
  inherit (config.local.sys) nets;
in {
  # adds "/var/lib/acme/acme-challenge" as a webroot fallback
  options = {
    security.acme = {
      certs = mkOption {
        type = with types;
          attrsOf (submodule ({config, ...}: {
            config = {
              webroot =
                if config.dnsProvider == null
                then "/var/lib/acme/acme-challenge"
                else null;
            };
          }));
      };
    };
  };

  config = {
    networking = {
      nftables.enable = false; # learn how to use this later
      firewall = {
        enable = true;
        allowedTCPPorts = [80 443];
      };
      domain = "posixlycorrect.com";
    };

    # ver https://nixos.org/manual/nixos/stable/index.html#module-security-acme-nginx
    security.acme = {
      acceptTerms = true;
      defaults = {
        email = "fabian@posixlycorrect.com";
      };
    };

    services = {
      nginx = {
        enable = true;
        recommendedGzipSettings = true;
        recommendedOptimisation = true;
        recommendedProxySettings = true;
        recommendedTlsSettings = true;
        logError = "/var/log/nginx/error.log";
        clientMaxBodySize = "99M";
        virtualHosts = {
          "posixlycorrect.com" = {
            forceSSL = true;
            enableACME = true;
            locations = {
              "/".root = "${pkgs.trivium.homepage}";
              "/.well-known/openpgpkey/hu/".alias = "/var/public/wkd/";
            };
          };
        };
      };

      fail2ban = {
        enable = true;
        bantime = "10m";
        ignoreIP = [
          nets.default.hosts.vps.v6.cidr
          nets.default.hosts.vps.v4.address
          nets.vpn.v6.cidr
        ];
        bantime-increment = {
          enable = true;
          formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
          maxtime = "48h"; # Do not ban for more than 48h
          rndtime = "10m";
          overalljails = true; # Calculate the bantime based on all the violations
        };
        jails = {
          # https://discourse.nixos.org/t/fail2ban-with-nginx-and-authelia/31419
          nginx-botsearch.settings = {
            # Usar log en vez de journalctl
            # TODO: Pasar todo a systemd?
            backend = "pyinotify";
            logpath = "/var/log/nginx/*.log";
            journalmatch = "";
          };
          nginx-bad-request.settings = {
            backend = "pyinotify";
            logpath = "/var/log/nginx/*.log";
            journalmatch = "";
            maxretry = 10;
          };
        };
      };
    };
  };
}