crans
/
nixos
mirror of https://gitlab.crans.org/nounous/nixos
19
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Nettoyage de la configuration et du module reverseproxy

main^2
RatCornu 2025-08-03 15:35:31 +02:00
parent eb806aa9fb
commit 0a54a27b78
No known key found for this signature in database
GPG Key ID: B3BE02E379E6E8E2
2 changed files with 203 additions and 216 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

255
hosts/vm/reverseproxy/reverseproxy.nix
View File

@ -1,154 +1,141 @@
{ pkgs, ... }: { pkgs, ... }:
let let
anubisBotsMirror = pkgs.writeText "anubis_bots_mirror.yaml" formatJSON = pkgs.formats.json { };
'' formatYAML = pkgs.formats.yaml { };
- name: whitelist-crans
action: ALLOW
remote_addresses:
- 185.230.79.0/22
- 2a0c:700::/32
- 46.105.102.188/32
- 2001:41d0:2:d5bc::/128
- name: no-user-agent-string anubisBotsMirror = formatYAML.generate "anubis_bots_mirror.yaml" [
action: DENY {
expression: userAgent == "" name = "whitelist-crans";
action = "ALLOW";
remote_addresses = [
"185.230.79.0/22"
"2a0c:700::/32"
"46.105.102.188/32"
"2001:41d0:2:d5bc::/128"
];
}
{
name = "no-user-agent";
action = "DENY";
expression = "userAgent == \"\"";
}
{
name = "ban-gpt";
action = "DENY";
user_agent_regex = ".*gpt.*";
}
{
name = "ban-bot";
action = "DENY";
user_agent_regex = ".*(b|B)ot.*";
}
{
name = "ban-WebKit";
action = "DENY";
expression = {
all = [
"userAgent.startsWith(\"Mozilla\")"
"userAgent.startsWith(\"AppleWebKit\")"
"userAgent.startsWith(\"Safari\")"
"userAgent.startsWith(\"Chrome\")"
];
};
}
{
name = "ban-Barkrowler";
action = "DENY";
user_agent_regex = ".*Barkrowler.*";
}
];
- name: ban-gpt anubisMirror = formatJSON.generate "anubis_mirror.json" {
user_agent_regex: ".*gpt.*" bots = [
action: DENY
- name: ban-bot
user_agent_regex: ".*(b|B)ot.*"
action: DENY
- name: ban-WebKit
action: DENY
expression:
all:
- userAgent.startsWith("Mozilla")
- userAgent.matches("AppleWebKit")
- userAgent.matches("Safari")
- userAgent.matches("Chrome")
- name: ban-Barkrowler
user_agent_regex: ".*Barkrowler.*"
action: DENY
'';
anubisMirror = pkgs.writeText "anubis_mirror.json"
''
{ {
"bots": [ import = "${anubisBotsMirror}";
{
"import": "${anubisBotsMirror}"
},
{
"name": "allow-repo",
"path_regex": "^...*",
"action": "ALLOW"
},
{
"name": "deny-other",
"path_regex": ".*",
"action": "ALLOW"
}
]
} }
''; {
antibot = pkgs.writeText "antibot.yaml" name = "allow-repo";
'' action = "ALLOW";
- name: whitelist-crans path_regex = "^...*";
action: ALLOW }
remote_addresses: {
- 185.230.79.0/22 name = "deny-other";
- 2a0c:700::/32 path_regex = ".*";
- 46.105.102.188/32 action = "ALLOW";
- 2001:41d0:2:d5bc::/128 }
];
};
# les bots qui font souvent de la merde antiBot = formatYAML.generate "antibot.yaml" [
{
import = "${anubisBotsMirror}";
}
{
# On refuse les bots qui font souvent de la merde.
# https://github.com/TecharoHQ/anubis/blob/main/data/bots/deny-pathological.yaml # https://github.com/TecharoHQ/anubis/blob/main/data/bots/deny-pathological.yaml
- import: (data)/bots/_deny-pathological.yaml import = "(data)/bots/_deny-pathological.yaml";
}
# on authorise les indexers des moteurs de recherche, liste dispo ici : {
# On autorise les indexers des moteurs de recherche.
# https://github.com/TecharoHQ/anubis/blob/main/data/crawlers/_allow-good.yaml # https://github.com/TecharoHQ/anubis/blob/main/data/crawlers/_allow-good.yaml
- import: (data)/crawlers/_allow-good.yaml import = "(data)/crawlers/_allow-good.yaml";
}
# authorise l'accès à favicon, robots.txt, well-known {
# On autorise l'accès à favicon, robots.txt, well-known, ...
# https://github.com/TecharoHQ/anubis/blob/main/data/common/keep-internet-working.yaml # https://github.com/TecharoHQ/anubis/blob/main/data/common/keep-internet-working.yaml
- import: (data)/common/keep-internet-working.yaml import = "(data)/common/keep-internet-working.yaml";
}
# refuse si userAgent = "" {
# On refuse si userAgent = ""
# https://github.com/TecharoHQ/anubis/blob/main/data/common/keep-internet-working.yaml # https://github.com/TecharoHQ/anubis/blob/main/data/common/keep-internet-working.yaml
- import: (data)/common/rfc-violations.yaml import = "(data)/common/rfc-violations.yaml";
}
{
# Bloque les AI aggressivement (bots/agent, training et user search par IA) # On bloque les AI aggressivement (bots/agent, training et user search par IA)
# https://github.com/TecharoHQ/anubis/blob/main/data/meta/ai-block-aggressive.yaml # https://github.com/TecharoHQ/anubis/blob/main/data/meta/ai-block-aggressive.yaml
- import: (data)/meta/ai-block-aggressive.yaml import = "(data)/meta/ai-block-aggressive.yaml";
}
];
- name: ban-gpt anubisChallenge = formatJSON.generate "anubis_challenge.json" {
user_agent_regex: ".*gpt.*" "bots" = [
action: DENY
- name: ban-bot
user_agent_regex: ".*(b|B)ot.*"
action: DENY
- name: ban-WebKit
action: CHALLENGE
expression:
all:
- userAgent.startsWith("Mozilla")
- userAgent.matches("AppleWebKit")
- userAgent.matches("Safari")
- userAgent.matches("Chrome")
- name: ban-Barkrowler
user_agent_regex: ".*Barkrowler.*"
action: DENY
'';
anubisChallenge = pkgs.writeText "anubis_challenge.json"
''
{ {
"bots": [ import = "${antiBot}";
{
"import": "${antibot}"
},
{
"name": "challenge-other",
"path_regex": "^*",
"action": "CHALLENGE"
}
]
} }
'';
anubisMirrors = pkgs.writeText "anubis_mirrors.json"
''
{ {
"bots": [ name = "challenge-other";
{ path_regex = "^*";
"import": "${antibot}" action = "CHALLENGE";
}, }
{ ];
"name": "deny-other", };
"path_regex": ".*cdimage-.*",
"action": "ALLOW" anubisMirrors = formatJSON.generate "anubis_mirrors.json" {
}, "bots" = [
{ {
"name": "allow-repo", import = "${antiBot}";
"path_regex": "^...*", }
"action": "ALLOW" {
}, name = "deny-other";
{ path_regex = ".*cdimage-.*";
"name": "deny-other", action = "ALLOW";
"path_regex": ".*", }
"action": "CHALLENGE" {
} name = "allow-repo";
] path_regex = "^...*";
} action = "ALLOW";
''; }
in { {
name = "deny-other";
path_regex = ".*";
action = "CHALLENGE";
}
];
};
in
{
crans = { crans = {
reverseProxy = { reverseProxy = {
enable = true; enable = true;

164
modules/services/reverseproxy.nix
View File

@ -1,30 +1,36 @@
{ pkgs, lib, config, ... }: {
pkgs,
lib,
config,
...
}:
let let
cfg = config.crans.reverseProxy; cfg = config.crans.reverseProxy;
allowAll = pkgs.writeText "allow_all.json" formatJSON = pkgs.formats.json { };
''
allowAll = formatJSON.generate "allow_all.json" {
bots = [
{ {
"bots": [ name = "allow_all";
{ path_regex = ".*";
"name": "allow_all", action = "ALLOW";
"path_regex": ".*",
"action": "ALLOW"
}
]
} }
''; ];
};
mainTld = "org";
otherTld = [
"fr"
"eu"
];
inherit (lib) inherit (lib)
cartesianProduct
literalExpression literalExpression
mapAttrs
mapAttrs'
mkEnableOption mkEnableOption
mkIf mkIf
mkOption mkOption
nameValuePair
substring
types types
; ;
in in
@ -87,7 +93,9 @@ in
}; };
} }
); );
default = {};
default = { };
example = literalExpression '' example = literalExpression ''
{ {
"framadate" = { "framadate" = {
@ -104,76 +112,33 @@ in
}; };
config = { config = {
systemd.services = mapAttrs ( systemd.services = lib.mapAttrs (vhostName: vhostConfig: {
vhostName: vhostConfig: { wantedBy = [ "multi-user.target" ];
wantedBy = [ "multi-user.target" ]; }) cfg.virtualHosts;
}
) cfg.virtualHosts;
services = mkIf cfg.enable { services = mkIf cfg.enable {
anubis = { anubis = {
defaultOptions.group = "nginx"; defaultOptions.group = "nginx";
instances = mapAttrs ( instances = lib.mapAttrs (vhostName: vhostConfig: {
vhostName: vhostConfig: { enable = true;
enable = true; settings = {
settings = { BIND = "/run/anubis/anubis-${vhostName}.sock";
BIND = "/run/anubis/anubis-${vhostName}.sock"; BIND_NETWORK = "unix";
BIND_NETWORK = "unix"; TARGET = "unix:///run/nginx/nginx-${vhostName}.sock";
TARGET = "unix:///run/nginx/nginx-${vhostName}.sock"; COOKIE_DOMAIN = "crans.org";
COOKIE_DOMAIN = "crans.org"; REDIRECT_DOMAINS = "${vhostName}.crans.org";
REDIRECT_DOMAINS = "${vhostName}.crans.org"; SOCKET_MODE = "0660";
SOCKET_MODE = "0660"; POLICY_FNAME = if (vhostConfig.anubisConfig == "") then "${allowAll}" else vhostConfig.anubisConfig;
POLICY_FNAME = };
if (vhostConfig.anubisConfig == "") }) cfg.virtualHosts;
then allowAll
else vhostConfig.anubisConfig;
};
}
) cfg.virtualHosts;
}; };
nginx = nginx =
let let
domaines = [ # Configuration du serveur principal.
"crans.org" mainConfig = lib.mapAttrs' (
"crans.fr" vhostName: vhostConfig:
"crans.eu" lib.nameValuePair (vhostName + "-anubis") {
];
redirectConfig = mapAttrs (
vhostName: vhostConfig: {
locations = mkIf ((substring 0 1 vhostConfig.target) != "/") {
"/favicon.ico".root = "/var/www/logo/";
"/" = {
proxyPass = "http://${vhostConfig.target}";
proxyWebsockets = vhostConfig.proxyWebsockets;
};
};
root = mkIf ((substring 0 1 vhostConfig.target) == "/") vhostConfig.target;
listen = [
{ addr = "unix:/run/nginx/nginx-${vhostName}.sock"; }
];
}
) cfg.virtualHosts;
aliasConfig = mapAttrs' (
vhostName: vhostConfig: nameValuePair (vhostName + "-alias") {
enableACME = !vhostConfig.httpOnly;
forceSSL = !vhostConfig.httpOnly;
rejectSSL = vhostConfig.httpOnly;
serverName = "${vhostName}.crans.fr";
serverAliases = let
aliases = cartesianProduct {
name = vhostConfig.serverAliases;
domaine = domaines;
};
in [
"${vhostName}.crans.eu"
] ++ map (value: value.name + "." + value.domaine) aliases;
globalRedirect = "${vhostName}.crans.org";
# locations."/".proxyWebsockets = vhostConfig.proxyWebsockets;
}
) cfg.virtualHosts;
anubisConfig = mapAttrs' (
vhostName: vhostConfig: nameValuePair (vhostName + "-anubis") {
enableACME = !vhostConfig.httpOnly; enableACME = !vhostConfig.httpOnly;
forceSSL = !vhostConfig.httpOnly; forceSSL = !vhostConfig.httpOnly;
rejectSSL = vhostConfig.httpOnly; rejectSSL = vhostConfig.httpOnly;
@ -181,12 +146,47 @@ in
proxyPass = "http://unix:/run/anubis/anubis-${vhostName}.sock"; proxyPass = "http://unix:/run/anubis/anubis-${vhostName}.sock";
proxyWebsockets = vhostConfig.proxyWebsockets; proxyWebsockets = vhostConfig.proxyWebsockets;
}; };
serverName = "${vhostName}.crans.org"; serverName = "${vhostName}.crans.${mainTld}";
} }
) cfg.virtualHosts; ) cfg.virtualHosts;
in {
# Redirections
redirectConfig = lib.mapAttrs (vhostName: vhostConfig: {
# Redirection vers d'autres machines
locations = mkIf (!lib.strings.hasPrefix "/" vhostConfig.target) {
"/favicon.ico".root = "/var/www/logo/";
"/" = {
proxyPass = "http://${vhostConfig.target}";
proxyWebsockets = vhostConfig.proxyWebsockets;
};
};
# Redirection vers des fichiers locaux
root = mkIf (lib.strings.hasPrefix "/" vhostConfig.target) vhostConfig.target;
listen = [
{ addr = "unix:/run/nginx/nginx-${vhostName}.sock"; }
];
}) cfg.virtualHosts;
# Configuration des alias .fr et .eu
aliasConfig = lib.fold (
tld: acc:
acc
// lib.mapAttrs' (
vhostName: vhostConfig:
lib.nameValuePair "${vhostName}-alias-${tld}" rec {
rejectSSL = vhostConfig.httpOnly;
forceSSL = !rejectSSL;
enableACME = !rejectSSL;
serverName = "${vhostName}.crans.${tld}";
serverAliases = map (name: "${name}.crans.${tld}") vhostConfig.serverAliases;
globalRedirect = "${vhostName}.crans.${mainTld}";
}
) cfg.virtualHosts
) { } otherTld;
in
{
enable = true; enable = true;
virtualHosts = redirectConfig // aliasConfig // anubisConfig; virtualHosts = redirectConfig // aliasConfig // mainConfig;
}; };
}; };
}; };