87 lines
		
	
	
	
		
			2.3 KiB
		
	
	
	
		
			Nix
		
	
	
	
	
	
			
		
		
	
	
			87 lines
		
	
	
	
		
			2.3 KiB
		
	
	
	
		
			Nix
		
	
	
	
	
	
| {
 | |
|   lib,
 | |
|   pkgs,
 | |
|   ...
 | |
| }:
 | |
| with lib; let
 | |
|   inherit (config.local.sys) nets;
 | |
| in {
 | |
|   networking = {
 | |
|     nftables.enable = false; # learn how to use this later
 | |
|     firewall = {
 | |
|       enable = true;
 | |
|       allowedTCPPorts = [80 443];
 | |
|     };
 | |
|     domain = "posixlycorrect.com";
 | |
|   };
 | |
| 
 | |
|   # ver https://nixos.org/manual/nixos/stable/index.html#module-security-acme-nginx
 | |
|   security.acme = {
 | |
|     acceptTerms = true;
 | |
|     defaults.email = "fabian@posixlycorrect.com";
 | |
|   };
 | |
| 
 | |
|   services = {
 | |
|     nginx = {
 | |
|       enable = true;
 | |
|       recommendedGzipSettings = true;
 | |
|       recommendedOptimisation = true;
 | |
|       recommendedProxySettings = true;
 | |
|       recommendedTlsSettings = true;
 | |
|       logError = "/var/log/nginx/error.log";
 | |
|       clientMaxBodySize = "99M";
 | |
|       virtualHosts = {
 | |
|         "posixlycorrect.com" = {
 | |
|           forceSSL = true;
 | |
|           enableACME = true;
 | |
|           locations = {
 | |
|             "/".root = "${pkgs.local.homepage}";
 | |
| 
 | |
|             "~ ^/public(?:/(.*))?$" = {
 | |
|               # https://serverfault.com/a/476368
 | |
|               alias = "${../public_files}/$1";
 | |
|               extraConfig = ''
 | |
|                 autoindex on;
 | |
|                 autoindex_exact_size on;
 | |
|                 autoindex_localtime on;
 | |
|                 autoindex_format html;
 | |
|               '';
 | |
|             };
 | |
|           };
 | |
|         };
 | |
|       };
 | |
|     };
 | |
|     fail2ban = {
 | |
|       enable = true;
 | |
|       bantime = "10m";
 | |
|       ignoreIP = [
 | |
|         nets.default.hosts.vps.v6.cidr
 | |
|         nets.default.hosts.vps.v4.address
 | |
|         nets.vpn.v6.cidr
 | |
|       ];
 | |
|       bantime-increment = {
 | |
|         enable = true;
 | |
|         formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
 | |
|         maxtime = "48h"; # Do not ban for more than 48h
 | |
|         rndtime = "10m";
 | |
|         overalljails = true; # Calculate the bantime based on all the violations
 | |
|       };
 | |
|       jails = {
 | |
|         # https://discourse.nixos.org/t/fail2ban-with-nginx-and-authelia/31419
 | |
|         nginx-botsearch.settings = {
 | |
|           # Usar log en vez de journalctl
 | |
|           # TODO: Pasar todo a systemd?
 | |
|           backend = "pyinotify";
 | |
|           logpath = "/var/log/nginx/*.log";
 | |
|           journalmatch = "";
 | |
|         };
 | |
|         nginx-bad-request.settings = {
 | |
|           backend = "pyinotify";
 | |
|           logpath = "/var/log/nginx/*.log";
 | |
|           journalmatch = "";
 | |
|           maxretry = 10;
 | |
|         };
 | |
|       };
 | |
|     };
 | |
|   };
 | |
| }
 |