diff --git a/hosts/vm/reverseproxy/default.nix b/hosts/vm/reverseproxy/default.nix index b6958fc..4ab3dca 100644 --- a/hosts/vm/reverseproxy/default.nix +++ b/hosts/vm/reverseproxy/default.nix @@ -1,6 +1,61 @@ { pkgs, ... }: let + anubisBotsMirror = pkgs.writeText "anubis_bots_mirror.yaml" + '' + - name: whitelist-crans + action: ALLOW + remote_addresses: + - 185.230.79.0/22 + - 2a0c:700::/32 + - 46.105.102.188/32 + - 2001:41d0:2:d5bc::/128 + + - name: no-user-agent-string + action: DENY + expression: userAgent == "" + + - name: ban-gpt + user_agent_regex: ".*gpt.*" + action: DENY + + - name: ban-bot + user_agent_regex: ".*(b|B)ot.*" + action: DENY + + - name: ban-WebKit + action: DENY + expression: + all: + - userAgent.startsWith("Mozilla") + - userAgent.matches("AppleWebKit") + - userAgent.matches("Safari") + - userAgent.matches("Chrome") + + - name: ban-Barkrowler + user_agent_regex: ".*Barkrowler.*" + action: DENY + ''; + anubisMirror = pkgs.writeText "anubis_mirror.json" + '' + { + "bots": [ + { + "import": "${anubisBotsMirror}" + }, + { + "name": "allow-repo", + "path_regex": "^...*", + "action": "ALLOW" + }, + { + "name": "deny-other", + "path_regex": ".*", + "action": "ALLOW" + } + ] + } + ''; antibot = pkgs.writeText "antibot.yaml" '' - name: whitelist-crans @@ -79,11 +134,6 @@ let in { imports = [ ./hardware-configuration.nix - ./networking.nix - - ./anubis.nix - ./reverseproxy.nix - ]; networking.hostName = "reverseproxy"; @@ -134,6 +184,11 @@ in { anubisConfig = "${anubisMirrors}"; target = "172.16.10.104"; }; + "mirror" = { + anubisConfig = "${anubisMirror}"; + httpOnly = true; + target = "172.16.10.104"; + }; "perso" = { anubisConfig = "${anubisChallenge}"; target = "172.16.10.31"; diff --git a/hosts/vm/reverseproxy/networking.nix b/hosts/vm/reverseproxy/networking.nix deleted file mode 100644 index 76fbcf3..0000000 --- a/hosts/vm/reverseproxy/networking.nix +++ /dev/null @@ -1,67 +0,0 @@ -{ ... }: - -{ - networking = { - interfaces = { - ens18 = { - ipv4 = { - addresses = [{ - address = "172.16.10.151"; - prefixLength = 24; - }]; - }; - - ipv6 = { - addresses = [{ - address = "fd00::10:0:ff:fe01:5110"; - prefixLength = 64; - }]; - }; - }; - - ens19 = { - ipv4 = { - addresses = [{ - address = "172.16.3.151"; - prefixLength = 24; - }]; - }; - - ipv6 = { - addresses = [{ - address = "2a0c:700:3::ff:fe01:5103"; - prefixLength = 64; - }]; - }; - - }; - - ens20 = { - ipv4 = { - addresses = [{ - address = "185.230.79.42"; - prefixLength = 26; - }]; - routes = [{ - address = "0.0.0.0"; - via = "185.230.79.62"; - prefixLength = 0; - }]; - }; - - ipv6 = { - addresses = [{ - address = "2a0c:700:2::ff:fe01:5102"; - prefixLength = 64; - }]; - routes = [{ - address = "::"; - via = "2a0c:700:2::ff:fe00:9902"; - prefixLength = 0; - }]; - }; - - }; - }; - }; -} diff --git a/hosts/vm/reverseproxy/reverseproxy.nix b/hosts/vm/reverseproxy/reverseproxy.nix deleted file mode 100644 index 067687b..0000000 --- a/hosts/vm/reverseproxy/reverseproxy.nix +++ /dev/null @@ -1,53 +0,0 @@ -{ config, ... }: - -{ - services.nginx.virtualHosts = { - # redirection eclat - "eclat.crans.fr" = { - rejectSSL = true; - serverAliases = [ - "eclat.crans.eu" - ]; - extraConfig = '' - return 301 http://eclat.crans.org$request_uri; - ''; - }; - - # redirection mirror - "mirror.crans.fr" = { - rejectSSL = true; - serverAliases = [ - "mirror.crans.eu" - ]; - extraConfig = '' - return 301 http://mirror.crans.org$request_uri; - ''; - }; - - # redirection anubis mirrors - "anubis-mirror" = { - rejectSSL = true; - locations."/" = { - proxyPass = "http://${config.services.anubis.instances."mirror".settings.BIND}"; - }; - serverName = "mirror.crans.org"; - serverAliases = [ - "eclat.crans.org" - ]; - }; - - # mirror - "mirror.crans.org" = { - locations."/".proxyPass = "http://172.16.10.104"; - listen = [ - { - addr = "localhost"; - port = 8890; - } - ]; - serverAliases = [ - "eclat.crans.org" - ]; - }; - }; -} diff --git a/modules/services/reverseproxy.nix b/modules/services/reverseproxy.nix index 6bc96e8..75ac606 100644 --- a/modules/services/reverseproxy.nix +++ b/modules/services/reverseproxy.nix @@ -66,6 +66,15 @@ in ''; example = "/var/www/anubis.conf"; }; + + httpOnly = mkOption { + type = types.bool; + default = false; + description = '' + Interdit les connexions en ssh + ''; + example = "true"; + }; }; } ); @@ -90,10 +99,12 @@ in vhostName: vhostConfig: { enable = true; settings = { + BIND = "/run/anubis/anubis-${vhostName}.sock"; BIND_NETWORK = "unix"; - TARGET = "unix:/run/nginx/nginx-${vhostName}.sock"; + TARGET = "unix:///run/nginx/nginx-${vhostName}.sock"; COOKIE_DOMAIN = "crans.org"; REDIRECT_DOMAINS = "${vhostName}.crans.org"; + SOCKET_MODE = "0666"; POLICY_FNAME = if (vhostConfig.anubisConfig == "") then allowAll @@ -122,8 +133,9 @@ in ) cfg.virtualHosts; aliasConfig = mapAttrs' ( vhostName: vhostConfig: nameValuePair (vhostName + "-alias") { - enableACME = true; - forceSSL = true; + enableACME = !vhostConfig.httpOnly; + forceSSL = !vhostConfig.httpOnly; + rejectSSL = vhostConfig.httpOnly; serverName = "${vhostName}.crans.fr"; serverAliases = let aliases = cartesianProduct { @@ -133,16 +145,15 @@ in in [ "${vhostName}.crans.eu" ] ++ map (value: value.name + "." + value.domaine) aliases; - extraConfig = '' - return 301 https://${vhostName}.crans.org$request_uri; - ''; + globalRedirect = "${vhostName}.crans.org"; } ) cfg.virtualHosts; anubisConfig = mapAttrs' ( vhostName: vhostConfig: nameValuePair (vhostName + "-anubis") { - enableACME = true; - forceSSL = true; - locations."/".proxyPass = "unix:/run/anubis/anubis-${vhostName}.sock"; + enableACME = !vhostConfig.httpOnly; + forceSSL = !vhostConfig.httpOnly; + rejectSSL = vhostConfig.httpOnly; + locations."/".proxyPass = "http://unix:/run/anubis/anubis-${vhostName}.sock"; serverName = "${vhostName}.crans.org"; } ) cfg.virtualHosts;