{ config, pkgs, lib, inputs, ... }: let cfg = config.services.vm_nginx; in { options.services.vm_nginx = { enable = lib.mkEnableOption "Enable minimal config"; proxy_ip = lib.mkOption { type = lib.types.str; description = "The Nginx proxy IP address"; }; }; config = lib.mkIf cfg.enable { security.acme = { acceptTerms = true; defaults.email = "theo.barnouin@le43.eu"; certs."authentik.le43.eu".extraDomainNames = [ "le43.eu" ]; }; services = { crowdsec-firewall-bouncer = { enable = true; package = inputs.crowdsec.packages."x86_64-linux".crowdsec-firewall-bouncer; settings = { api_key = "XIgNVuxdP74m+UPbd3WJnHHJdLhRiTbhuH6z2mPRIFg"; api_url = "http://${cfg.proxy_ip}:8080"; }; }; crowdsec = { settings = { general = { api = { server = { enable = true; listen_uri = "${cfg.proxy_ip}:8080"; }; }; }; }; hub.collections = [ "firix/authentik" "crowdsecurity/sshd" "crowdsecurity/linux" "crowdsecurity/nginx" "crowdsecurity/http-cve" "crowdsecurity/base-http-scenarios" ]; localConfig = { acquisitions = [ { source = "journalctl"; journalctl_filter = [ "_SYSTEMD_UNIT=nginx.service" ]; labels = { type = "syslog"; }; } ]; parsers.s02Enrich = [ { name = "gateway"; description = "Whitelist Gateway IP for VPN access"; whitelist = { reason = "Gateway IP"; ip = [ "192.168.1.254" ]; }; } ]; }; }; fail2ban = { enable = lib.mkForce false; jails = { nginx-http-auth = '' enabled = true port = http,https logpath = /var/log/nginx/*.log skip_if_nologs = true backend = polling journalmatch = ''; nginx-botsearch = '' enabled = true port = http,https logpath = /var/log/nginx/*.log skip_if_nologs = true backend = polling journalmatch = ''; nginx-bad-request = '' enabled = true port = http,https logpath = /var/log/nginx/*.log skip_if_nologs = true backend = polling journalmatch = ''; }; }; nginx = { enable = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; clientMaxBodySize = "10000m"; sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; appendHttpConfig = '' # Add HSTS header with preloading to HTTPS requests. # Adding this header to HTTP requests is discouraged map $scheme $hsts_header { https "max-age=31536000; includeSubdomains; preload"; } add_header Strict-Transport-Security $hsts_header; # Enable CSP for your services. #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; add_header Content-Security-Policy "frame-ancestors self *.le43.eu; upgrade-insecure-requests; frame-src 'self' http://office.le43.eu;"; # Minimize information leaked to other domains add_header 'Referrer-Policy' 'origin-when-cross-origin'; # Disable embedding as a frame #add_header X-Frame-Options SAMEORIGIN; # Prevent injection of code in other mime types (XSS Attacks) add_header X-Content-Type-Options nosniff; client_body_buffer_size 400M; ''; user = "tbarnouin"; logError = "syslog:server=unix:/dev/log"; commonHttpConfig = '' access_log syslog:server=unix:/dev/log; ''; virtualHosts = { "le43.eu" = { forceSSL = true; enableACME = true; globalRedirect = "authentik.le43.eu"; }; "logs.le43.eu" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://192.168.1.27:3000"; proxyWebsockets = true; recommendedProxySettings = true; }; }; "play.le43.eu" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://192.168.1.42:8096"; recommendedProxySettings = true; }; }; "requests.le43.eu" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://192.168.1.125:5055"; recommendedProxySettings = true; }; }; "vault.le43.eu" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://192.168.1.125:8888"; recommendedProxySettings = true; }; }; "cloud.le43.eu" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://192.168.1.45"; proxyWebsockets = true; recommendedProxySettings = true; }; }; "git.le43.eu" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://192.168.1.14:3000"; recommendedProxySettings = true; extraConfig = '' rewrite ^/user/login$ /user/oauth2/authentik; ''; }; }; "authentik.le43.eu" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://192.168.1.125:9000"; recommendedProxySettings = true; proxyWebsockets = true; }; }; "uptime.le43.eu" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://192.168.1.90:3001"; recommendedProxySettings = true; proxyWebsockets = true; }; }; }; }; }; networking.firewall.allowedTCPPorts = [80 443]; }; }