crans
/
nixos
mirror of https://gitlab.crans.org/nounous/nixos
19
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Correction syntaxe et ajout de la gestion du http

merge-requests/18/head
korenstin 2025-06-28 09:30:13 +02:00
parent 1482d764ae
commit 1fe25c1b5f
4 changed files with 80 additions and 134 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
hosts/vm/reverseproxy/default.nix
View File

@ -1,6 +1,61 @@
{ pkgs, ... }: { pkgs, ... }:
let let
anubisBotsMirror = pkgs.writeText "anubis_bots_mirror.yaml"
''
- name: whitelist-crans
action: ALLOW
remote_addresses:
- 185.230.79.0/22
- 2a0c:700::/32
- 46.105.102.188/32
- 2001:41d0:2:d5bc::/128
- name: no-user-agent-string
action: DENY
expression: userAgent == ""
- name: ban-gpt
user_agent_regex: ".*gpt.*"
action: DENY
- name: ban-bot
user_agent_regex: ".*(b|B)ot.*"
action: DENY
- name: ban-WebKit
action: DENY
expression:
all:
- userAgent.startsWith("Mozilla")
- userAgent.matches("AppleWebKit")
- userAgent.matches("Safari")
- userAgent.matches("Chrome")
- name: ban-Barkrowler
user_agent_regex: ".*Barkrowler.*"
action: DENY
'';
anubisMirror = pkgs.writeText "anubis_mirror.json"
''
{
"bots": [
{
"import": "${anubisBotsMirror}"
},
{
"name": "allow-repo",
"path_regex": "^...*",
"action": "ALLOW"
},
{
"name": "deny-other",
"path_regex": ".*",
"action": "ALLOW"
}
]
}
'';
antibot = pkgs.writeText "antibot.yaml" antibot = pkgs.writeText "antibot.yaml"
'' ''
- name: whitelist-crans - name: whitelist-crans
@ -79,11 +134,6 @@ let
in { in {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
./networking.nix
./anubis.nix
./reverseproxy.nix
]; ];
networking.hostName = "reverseproxy"; networking.hostName = "reverseproxy";
@ -134,6 +184,11 @@ in {
anubisConfig = "${anubisMirrors}"; anubisConfig = "${anubisMirrors}";
target = "172.16.10.104"; target = "172.16.10.104";
}; };
"mirror" = {
anubisConfig = "${anubisMirror}";
httpOnly = true;
target = "172.16.10.104";
};
"perso" = { "perso" = {
anubisConfig = "${anubisChallenge}"; anubisConfig = "${anubisChallenge}";
target = "172.16.10.31"; target = "172.16.10.31";

67
hosts/vm/reverseproxy/networking.nix
View File

@ -1,67 +0,0 @@
{ ... }:
{
networking = {
interfaces = {
ens18 = {
ipv4 = {
addresses = [{
address = "172.16.10.151";
prefixLength = 24;
}];
};
ipv6 = {
addresses = [{
address = "fd00::10:0:ff:fe01:5110";
prefixLength = 64;
}];
};
};
ens19 = {
ipv4 = {
addresses = [{
address = "172.16.3.151";
prefixLength = 24;
}];
};
ipv6 = {
addresses = [{
address = "2a0c:700:3::ff:fe01:5103";
prefixLength = 64;
}];
};
};
ens20 = {
ipv4 = {
addresses = [{
address = "185.230.79.42";
prefixLength = 26;
}];
routes = [{
address = "0.0.0.0";
via = "185.230.79.62";
prefixLength = 0;
}];
};
ipv6 = {
addresses = [{
address = "2a0c:700:2::ff:fe01:5102";
prefixLength = 64;
}];
routes = [{
address = "::";
via = "2a0c:700:2::ff:fe00:9902";
prefixLength = 0;
}];
};
};
};
};
}

53
hosts/vm/reverseproxy/reverseproxy.nix
View File

@ -1,53 +0,0 @@
{ config, ... }:
{
services.nginx.virtualHosts = {
# redirection eclat
"eclat.crans.fr" = {
rejectSSL = true;
serverAliases = [
"eclat.crans.eu"
];
extraConfig = ''
return 301 http://eclat.crans.org$request_uri;
'';
};
# redirection mirror
"mirror.crans.fr" = {
rejectSSL = true;
serverAliases = [
"mirror.crans.eu"
];
extraConfig = ''
return 301 http://mirror.crans.org$request_uri;
'';
};
# redirection anubis mirrors
"anubis-mirror" = {
rejectSSL = true;
locations."/" = {
proxyPass = "http://${config.services.anubis.instances."mirror".settings.BIND}";
};
serverName = "mirror.crans.org";
serverAliases = [
"eclat.crans.org"
];
};
# mirror
"mirror.crans.org" = {
locations."/".proxyPass = "http://172.16.10.104";
listen = [
{
addr = "localhost";
port = 8890;
}
];
serverAliases = [
"eclat.crans.org"
];
};
};
}

29
modules/services/reverseproxy.nix
View File

@ -66,6 +66,15 @@ in
''; '';
example = "/var/www/anubis.conf"; example = "/var/www/anubis.conf";
}; };
httpOnly = mkOption {
type = types.bool;
default = false;
description = ''
Interdit les connexions en ssh
'';
example = "true";
};
}; };
} }
); );
@ -90,10 +99,12 @@ in
vhostName: vhostConfig: { vhostName: vhostConfig: {
enable = true; enable = true;
settings = { settings = {
BIND = "/run/anubis/anubis-${vhostName}.sock";
BIND_NETWORK = "unix"; BIND_NETWORK = "unix";
TARGET = "unix:/run/nginx/nginx-${vhostName}.sock"; TARGET = "unix:///run/nginx/nginx-${vhostName}.sock";
COOKIE_DOMAIN = "crans.org"; COOKIE_DOMAIN = "crans.org";
REDIRECT_DOMAINS = "${vhostName}.crans.org"; REDIRECT_DOMAINS = "${vhostName}.crans.org";
SOCKET_MODE = "0666";
POLICY_FNAME = POLICY_FNAME =
if (vhostConfig.anubisConfig == "") if (vhostConfig.anubisConfig == "")
then allowAll then allowAll
@ -122,8 +133,9 @@ in
) cfg.virtualHosts; ) cfg.virtualHosts;
aliasConfig = mapAttrs' ( aliasConfig = mapAttrs' (
vhostName: vhostConfig: nameValuePair (vhostName + "-alias") { vhostName: vhostConfig: nameValuePair (vhostName + "-alias") {
enableACME = true; enableACME = !vhostConfig.httpOnly;
forceSSL = true; forceSSL = !vhostConfig.httpOnly;
rejectSSL = vhostConfig.httpOnly;
serverName = "${vhostName}.crans.fr"; serverName = "${vhostName}.crans.fr";
serverAliases = let serverAliases = let
aliases = cartesianProduct { aliases = cartesianProduct {
@ -133,16 +145,15 @@ in
in [ in [
"${vhostName}.crans.eu" "${vhostName}.crans.eu"
] ++ map (value: value.name + "." + value.domaine) aliases; ] ++ map (value: value.name + "." + value.domaine) aliases;
extraConfig = '' globalRedirect = "${vhostName}.crans.org";
return 301 https://${vhostName}.crans.org$request_uri;
'';
} }
) cfg.virtualHosts; ) cfg.virtualHosts;
anubisConfig = mapAttrs' ( anubisConfig = mapAttrs' (
vhostName: vhostConfig: nameValuePair (vhostName + "-anubis") { vhostName: vhostConfig: nameValuePair (vhostName + "-anubis") {
enableACME = true; enableACME = !vhostConfig.httpOnly;
forceSSL = true; forceSSL = !vhostConfig.httpOnly;
locations."/".proxyPass = "unix:/run/anubis/anubis-${vhostName}.sock"; rejectSSL = vhostConfig.httpOnly;
locations."/".proxyPass = "http://unix:/run/anubis/anubis-${vhostName}.sock";
serverName = "${vhostName}.crans.org"; serverName = "${vhostName}.crans.org";
} }
) cfg.virtualHosts; ) cfg.virtualHosts;