212 lines
6.3 KiB
Nix
212 lines
6.3 KiB
Nix
{
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
inputs,
|
|
...
|
|
}: let
|
|
cfg = config.services.vm_nginx;
|
|
in {
|
|
options.services.vm_nginx = {
|
|
enable = lib.mkEnableOption "Enable minimal config";
|
|
proxy_ip = lib.mkOption {
|
|
type = lib.types.str;
|
|
description = "The Nginx proxy IP address";
|
|
};
|
|
};
|
|
config = lib.mkIf cfg.enable {
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
defaults.email = "theo.barnouin@le43.eu";
|
|
certs."authentik.le43.eu".extraDomainNames = [
|
|
"le43.eu"
|
|
];
|
|
};
|
|
services = {
|
|
crowdsec-firewall-bouncer = {
|
|
enable = true;
|
|
package = inputs.crowdsec.packages."x86_64-linux".crowdsec-firewall-bouncer;
|
|
settings = {
|
|
api_key = "XIgNVuxdP74m+UPbd3WJnHHJdLhRiTbhuH6z2mPRIFg";
|
|
api_url = "http://${cfg.proxy_ip}:8080";
|
|
};
|
|
};
|
|
crowdsec = {
|
|
settings = {
|
|
general = {
|
|
api = {
|
|
server = {
|
|
enable = true;
|
|
listen_uri = "${cfg.proxy_ip}:8080";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
hub.collections = [
|
|
"firix/authentik"
|
|
"crowdsecurity/sshd"
|
|
"crowdsecurity/linux"
|
|
"crowdsecurity/nginx"
|
|
"crowdsecurity/http-cve"
|
|
"crowdsecurity/base-http-scenarios"
|
|
];
|
|
localConfig = {
|
|
acquisitions = [
|
|
{
|
|
source = "journalctl";
|
|
journalctl_filter = [ "_SYSTEMD_UNIT=nginx.service" ];
|
|
labels = {
|
|
type = "syslog";
|
|
};
|
|
}
|
|
];
|
|
};
|
|
};
|
|
fail2ban = {
|
|
enable = lib.mkForce false;
|
|
jails = {
|
|
nginx-http-auth = ''
|
|
enabled = true
|
|
port = http,https
|
|
logpath = /var/log/nginx/*.log
|
|
skip_if_nologs = true
|
|
backend = polling
|
|
journalmatch =
|
|
'';
|
|
nginx-botsearch = ''
|
|
enabled = true
|
|
port = http,https
|
|
logpath = /var/log/nginx/*.log
|
|
skip_if_nologs = true
|
|
backend = polling
|
|
journalmatch =
|
|
'';
|
|
nginx-bad-request = ''
|
|
enabled = true
|
|
port = http,https
|
|
logpath = /var/log/nginx/*.log
|
|
skip_if_nologs = true
|
|
backend = polling
|
|
journalmatch =
|
|
'';
|
|
};
|
|
};
|
|
nginx = {
|
|
enable = true;
|
|
recommendedGzipSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedProxySettings = true;
|
|
recommendedTlsSettings = true;
|
|
clientMaxBodySize = "10000m";
|
|
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
|
|
appendHttpConfig = ''
|
|
# Add HSTS header with preloading to HTTPS requests.
|
|
# Adding this header to HTTP requests is discouraged
|
|
map $scheme $hsts_header {
|
|
https "max-age=31536000; includeSubdomains; preload";
|
|
}
|
|
add_header Strict-Transport-Security $hsts_header;
|
|
|
|
# Enable CSP for your services.
|
|
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
|
|
add_header Content-Security-Policy "frame-ancestors self *.le43.eu; upgrade-insecure-requests; frame-src 'self' http://office.le43.eu;";
|
|
|
|
|
|
# Minimize information leaked to other domains
|
|
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
|
|
|
# Disable embedding as a frame
|
|
#add_header X-Frame-Options SAMEORIGIN;
|
|
|
|
# Prevent injection of code in other mime types (XSS Attacks)
|
|
add_header X-Content-Type-Options nosniff;
|
|
client_body_buffer_size 400M;
|
|
'';
|
|
user = "tbarnouin";
|
|
logError = "syslog:server=unix:/dev/log";
|
|
commonHttpConfig = ''
|
|
access_log syslog:server=unix:/dev/log;
|
|
'';
|
|
virtualHosts = {
|
|
"le43.eu" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
globalRedirect = "authentik.le43.eu";
|
|
};
|
|
"logs.le43.eu" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations."/" = {
|
|
proxyPass = "http://192.168.1.27:3000";
|
|
proxyWebsockets = true;
|
|
recommendedProxySettings = true;
|
|
};
|
|
};
|
|
"play.le43.eu" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations."/" = {
|
|
proxyPass = "http://192.168.1.42:8096";
|
|
recommendedProxySettings = true;
|
|
};
|
|
};
|
|
"requests.le43.eu" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations."/" = {
|
|
proxyPass = "http://192.168.1.125:5055";
|
|
recommendedProxySettings = true;
|
|
};
|
|
};
|
|
"vault.le43.eu" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations."/" = {
|
|
proxyPass = "http://192.168.1.125:8888";
|
|
recommendedProxySettings = true;
|
|
};
|
|
};
|
|
"cloud.le43.eu" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations."/" = {
|
|
proxyPass = "http://192.168.1.45";
|
|
proxyWebsockets = true;
|
|
recommendedProxySettings = true;
|
|
};
|
|
};
|
|
"git.le43.eu" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations."/" = {
|
|
proxyPass = "http://192.168.1.14:3000";
|
|
recommendedProxySettings = true;
|
|
extraConfig = ''
|
|
rewrite ^/user/login$ /user/oauth2/authentik;
|
|
'';
|
|
};
|
|
};
|
|
"authentik.le43.eu" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations."/" = {
|
|
proxyPass = "http://192.168.1.125:9000";
|
|
recommendedProxySettings = true;
|
|
proxyWebsockets = true;
|
|
};
|
|
};
|
|
"uptime.le43.eu" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations."/" = {
|
|
proxyPass = "http://192.168.1.90:3001";
|
|
recommendedProxySettings = true;
|
|
proxyWebsockets = true;
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
networking.firewall.allowedTCPPorts = [80 443];
|
|
};
|
|
}
|