tbarnouin/nixos-hypervisor
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
nixos-hypervisor/services/nginx/default.nix
Théo Barnouin 42792ec4d8 Try to use age for crowdsec lapi config
2025-04-04 15:30:24 +02:00

240 lines
7.2 KiB
Nix
Raw Blame History

{
config,
pkgs,
lib,
inputs,
...
}: let
cfg = config.services.vm_nginx;
in {
options.services.vm_nginx = {
enable = lib.mkEnableOption "Enable minimal config";
};
config = lib.mkIf cfg.enable {
age.secrets = {
cs-lapi-key = {
file = ./secrets/cs-lapi-key.age;
owner = "crowdsec";
};
};
security.acme = {
acceptTerms = true;
defaults.email = "theo.barnouin@le43.eu";
certs."authentik.le43.eu".extraDomainNames = [
"le43.eu"
];
};
services = {
crowdsec-firewall-bouncer = {
enable = true;
package = inputs.crowdsec.packages."x86_64-linux".crowdsec-firewall-bouncer;
settings = {
api_key = "XIgNVuxdP74m+UPbd3WJnHHJdLhRiTbhuH6z2mPRIFg";
api_url = "http://localhost:8080";
};
};
crowdsec = {
enable = true;
package = pkgs.crowdsec;
autoUpdateService = false;
openFirewall = true;
settings = {
general = {
api = {
server = {
enable = true;
listen_uri = "127.0.0.1:8080";
};
};
prometheus.listen_addr = "0.0.0.0";
};
lapi.credentialsFile = "${config.age.secrets.cs-api-key.path}";
};
hub.collections = [
"firix/authentik"
"crowdsecurity/sshd"
"crowdsecurity/linux"
"crowdsecurity/nginx"
"LePresidente/grafana"
"LePresidente/jellyfin"
"crowdsecurity/http-cve"
"crowdsecurity/nextcloud"
"crowdsecurity/base-http-scenarios"
];
localConfig = {
acquisitions = [
{
source = "journalctl";
journalctl_filter = [ "_SYSTEMD_UNIT=sshd.service" ];
labels = {
type = "syslog";
};
}
];
};
};
fail2ban = {
jails = {
nginx-http-auth = ''
enabled = true
port = http,https
logpath = /var/log/nginx/*.log
skip_if_nologs = true
backend = polling
journalmatch =
'';
nginx-botsearch = ''
enabled = true
port = http,https
logpath = /var/log/nginx/*.log
skip_if_nologs = true
backend = polling
journalmatch =
'';
nginx-bad-request = ''
enabled = true
port = http,https
logpath = /var/log/nginx/*.log
skip_if_nologs = true
backend = polling
journalmatch =
'';
};
};
nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
clientMaxBodySize = "10000m";
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
appendHttpConfig = ''
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
# Enable CSP for your services.
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header Content-Security-Policy "frame-ancestors self *.le43.eu; upgrade-insecure-requests; frame-src 'self' http://office.le43.eu;";
# Minimize information leaked to other domains
add_header 'Referrer-Policy' 'origin-when-cross-origin';
# Disable embedding as a frame
#add_header X-Frame-Options SAMEORIGIN;
# Prevent injection of code in other mime types (XSS Attacks)
add_header X-Content-Type-Options nosniff;
client_body_buffer_size 400M;
'';
user = "tbarnouin";
logError = "syslog:server=unix:/dev/log";
commonHttpConfig = ''
access_log syslog:server=unix:/dev/log;
'';
virtualHosts = {
"le43.eu" = {
forceSSL = true;
enableACME = true;
globalRedirect = "authentik.le43.eu";
};
"logs.le43.eu" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://192.168.1.27:3000";
proxyWebsockets = true;
recommendedProxySettings = true;
};
};
"play.le43.eu" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://192.168.1.42:8096";
recommendedProxySettings = true;
};
};
"requests.le43.eu" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://192.168.1.125:5055";
recommendedProxySettings = true;
};
};
"vault.le43.eu" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://192.168.1.125:8888";
recommendedProxySettings = true;
};
};
"cloud.le43.eu" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://192.168.1.45";
proxyWebsockets = true;
recommendedProxySettings = true;
};
};
"office.le43.eu" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://192.168.1.125:8000";
proxyWebsockets = true;
recommendedProxySettings = true;
};
};
"collabora.le43.eu" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://192.168.1.19:9980";
proxyWebsockets = true;
recommendedProxySettings = true;
};
};
"git.le43.eu" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://192.168.1.14:3000";
recommendedProxySettings = true;
extraConfig = ''
rewrite ^/user/login$ /user/oauth2/authentik;
'';
};
};
"authentik.le43.eu" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://192.168.1.125:9000";
recommendedProxySettings = true;
proxyWebsockets = true;
};
};
"uptime.le43.eu" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://192.168.1.90:3001";
recommendedProxySettings = true;
proxyWebsockets = true;
};
};
};
};
};
networking.firewall.allowedTCPPorts = [80 443];
};
}
Reference in a new issue View git blame Copy permalink