blob: a054289a1ec9beaeb15b6a9dc2cea25bf7c8cf73 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
|
{
config,
lib,
...
}:
with lib; let
cfg = config.local.web;
inherit (config.local) domains;
in {
options.local.web = {
enable = mkEnableOption "web server";
defaultACMEHost = mkOption {
type = types.str;
};
ownedCerts = mkOption {
type = with lib.types; listOf str;
default = [];
};
};
config = mkIf cfg.enable {
services = {
fail2ban.jails = {
# https://discourse.nixos.org/t/fail2ban-with-nginx-and-authelia/31419
nginx-botsearch.settings = {
# Usar log en vez de journalctl
# TODO: Pasar todo a systemd?
backend = "pyinotify";
logpath = "/var/log/nginx/*.log";
journalmatch = "";
};
nginx-bad-request.settings = {
backend = "pyinotify";
logpath = "/var/log/nginx/*.log";
journalmatch = "";
maxretry = 10;
};
};
nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
logError = "/var/log/nginx/error.log";
sslDhparam = config.security.dhparams.params.nginx.path;
clientMaxBodySize = "42M";
mapHashBucketSize = 128;
virtualHosts.default = {
default = true;
addSSL = true;
useACMEHost = cfg.defaultACMEHost;
locations."/".extraConfig = ''
return 403;
'';
};
};
};
local.certs = listToAttrs (map
(name: {
inherit name;
value.enable = true;
})
cfg.ownedCerts);
networking.firewall.allowedTCPPorts = [80 443];
security = {
acme.certs = listToAttrs (map
(name: {
name = domains.${name}.main;
value = {
group = mkDefault config.services.nginx.group;
reloadServices = ["nginx.service"];
};
})
cfg.ownedCerts);
dhparams.params.nginx = {};
};
};
}
|
