Merge branch 'reverseproxy-google' into 'main'

Reverseproxy google See merge request nounous/nixos!32
2025-09-15 21:43:58 +02:00 · 2025-09-15 21:43:58 +02:00 · 04bf4918ad
parent 6ba4c15870 9478602ba6
commit 04bf4918ad
2 changed files with 49 additions and 3 deletions
--- a/hosts/vm/reverseproxy/reverseproxy.nix
+++ b/hosts/vm/reverseproxy/reverseproxy.nix
@ -69,13 +69,26 @@ let

  antiBot = formatYAML.generate "antibot.yaml" [
    {
-      import = "${anubisBotsMirror}";
+      name = "whitelist-crans";
+      action = "ALLOW";
+      remote_addresses = [
+        "185.230.79.0/22"
+        "2a0c:700::/32"
+        "46.105.102.188/32"
+        "2001:41d0:2:d5bc::/128"
+      ];
    }
    {
      # On refuse les bots qui font souvent de la merde.
      # https://github.com/TecharoHQ/anubis/blob/main/data/bots/deny-pathological.yaml
      import = "(data)/bots/_deny-pathological.yaml";
    }
+    {
+      # allow google-inspection pour indexer les pages
+      name = "google-inspection-tool";
+      action = "ALLOW";
+      user_agent_regex = ".*Google-InspectionTool.*";
+    }
    {
      # On autorise les indexers des moteurs de recherche.
      # https://github.com/TecharoHQ/anubis/blob/main/data/crawlers/_allow-good.yaml
@ -190,8 +203,8 @@ in
          ];
        };
        "wiki" = {
-          anubisConfig = "${anubisChallenge}";
-          target = "[fd00::10:0:ff:fe01:6110]"; # l'ipv4 marche pas
+          ## anubisConfig = "${anubisChallenge}";
+          target = "172.16.10.161";
          serverAliases = [
            "wikipedia"
          ];
--- a/modules/services/reverseproxy.nix
+++ b/modules/services/reverseproxy.nix
@ -20,6 +20,16 @@ let
    ];
  };

+  open_graph = formatJSON.generate "opengraph.json" {
+    openGraph = [
+      {
+        enabled = true;
+        considerHost = true;
+        ttl = "24h";
+      }
+    ];
+  };
+
  mainTld = "org";
  otherTld = [
    "fr"
@ -73,6 +83,14 @@ in
              example = "/var/www/anubis.conf";
            };

+            anubisOpenGraph = mkOption {
+              type = types.bool;
+              default = true;
+              description = ''
+                Activer openGraph pour l'indexation et l'embedding
+              '';
+            };
+
            httpOnly = mkOption {
              type = types.bool;
              default = false;
@ -128,6 +146,11 @@ in
            COOKIE_DOMAIN = "crans.org";
            REDIRECT_DOMAINS = "${vhostName}.crans.org";
            SOCKET_MODE = "0660";
+            # OpenGraph config
+            OG_PASSTHROUGH = vhostConfig.anubisOpenGraph;
+            OG_EXPIRY_TIME = "24h";
+            OG_CACHE_CONSIDER_HOST = true;
+            # Policy config
            POLICY_FNAME = if (vhostConfig.anubisConfig == "") then "${allowAll}" else vhostConfig.anubisConfig;
          };
        }) cfg.virtualHosts;
@ -147,6 +170,11 @@ in
                proxyWebsockets = vhostConfig.proxyWebsockets;
              };
              serverName = "${vhostName}.crans.${mainTld}";
+              extraConfig = "
+                set_real_ip_from 172.16.0.0/16;
+                set_real_ip_from fd00::/56;
+                real_ip_header X-Real-Ip;
+              ";
            }
          ) cfg.virtualHosts;

@ -165,6 +193,11 @@ in
            listen = [
              { addr = "unix:/run/nginx/nginx-${vhostName}.sock"; }
            ];
+            serverName = "${vhostName}.crans.${mainTld}";
+            extraConfig = "
+              set_real_ip_from unix:;
+              real_ip_header X-Real-IP;
+            ";
          }) cfg.virtualHosts;

          # Configuration des alias .fr et .eu