diff --git a/hosts/vm/reverseproxy/default.nix b/hosts/vm/reverseproxy/default.nix index 3fe9606..cc37e51 100644 --- a/hosts/vm/reverseproxy/default.nix +++ b/hosts/vm/reverseproxy/default.nix @@ -1,139 +1,10 @@ { pkgs, ... }: -let - anubisBotsMirror = pkgs.writeText "anubis_bots_mirror.yaml" - '' - - name: whitelist-crans - action: ALLOW - remote_addresses: - - 185.230.79.0/22 - - 2a0c:700::/32 - - 46.105.102.188/32 - - 2001:41d0:2:d5bc::/128 - - - name: no-user-agent-string - action: DENY - expression: userAgent == "" - - - name: ban-gpt - user_agent_regex: ".*gpt.*" - action: DENY - - - name: ban-bot - user_agent_regex: ".*(b|B)ot.*" - action: DENY - - - name: ban-WebKit - action: DENY - expression: - all: - - userAgent.startsWith("Mozilla") - - userAgent.matches("AppleWebKit") - - userAgent.matches("Safari") - - userAgent.matches("Chrome") - - - name: ban-Barkrowler - user_agent_regex: ".*Barkrowler.*" - action: DENY - ''; - anubisMirror = pkgs.writeText "anubis_mirror.json" - '' - { - "bots": [ - { - "import": "${anubisBotsMirror}" - }, - { - "name": "allow-repo", - "path_regex": "^...*", - "action": "ALLOW" - }, - { - "name": "deny-other", - "path_regex": ".*", - "action": "ALLOW" - } - ] - } - ''; - antibot = pkgs.writeText "antibot.yaml" - '' - - name: whitelist-crans - action: ALLOW - remote_addresses: - - 185.230.79.0/22 - - 2a0c:700::/32 - - 46.105.102.188/32 - - 2001:41d0:2:d5bc::/128 - - - name: no-user-agent-string - action: DENY - expression: userAgent == "" - - - name: ban-gpt - user_agent_regex: ".*gpt.*" - action: DENY - - - name: ban-bot - user_agent_regex: ".*(b|B)ot.*" - action: DENY - - - name: ban-WebKit - action: CHALLENGE - expression: - all: - - userAgent.startsWith("Mozilla") - - userAgent.matches("AppleWebKit") - - userAgent.matches("Safari") - - userAgent.matches("Chrome") - - - name: ban-Barkrowler - user_agent_regex: ".*Barkrowler.*" - action: DENY - ''; - anubisChallenge = pkgs.writeText "anubis_challenge.json" - '' - { - "bots": [ - { - "import": "${antibot}" - }, - { - "name": "challenge-other", - "path_regex": "^*", - "action": "CHALLENGE" - } - ] - } - ''; - anubisMirrors = pkgs.writeText "anubis_mirrors.json" - '' - { - "bots": [ - { - "import": "${antibot}" - }, - { - "name": "deny-other", - "path_regex": ".*cdimage-.*", - "action": "ALLOW" - }, - { - "name": "allow-repo", - "path_regex": "^...*", - "action": "ALLOW" - }, - { - "name": "deny-other", - "path_regex": ".*", - "action": "CHALLENGE" - } - ] - } - ''; -in { +{ imports = [ ./hardware-configuration.nix + + ./reverseproxy.nix ]; networking.hostName = "reverseproxy"; @@ -157,68 +28,6 @@ in { resticClient.when = "03:42"; - reverseProxy = { - enable = true; - - virtualHosts = { - "eclat" = { - anubisConfig = "${anubisMirror}"; - httpOnly = true; - target = "172.16.10.104"; - }; - "eclats" = { - anubisConfig = "${anubisMirrors}"; - target = "172.16.10.104"; - }; - "install-party" = { - anubisConfig = "${anubisChallenge}"; - target = "/var/www/install-party.crans.org"; - serverAliases = [ - "i-p" - "adopteunmanchot" - "adopteunpingouin" - ]; - }; - "lists" = { - anubisConfig = "${anubisChallenge}"; - target = "172.16.10.110"; - }; - "mediawiki" = { - anubisConfig = "${anubisChallenge}"; - target = "172.16.10.144"; - serverAliases = [ - "mediakiwi" - ]; - }; - "mirrors" = { - anubisConfig = "${anubisMirrors}"; - target = "172.16.10.104"; - }; - "mirror" = { - anubisConfig = "${anubisMirror}"; - httpOnly = true; - target = "172.16.10.104"; - }; - "perso" = { - anubisConfig = "${anubisChallenge}"; - target = "172.16.10.31"; - serverAliases = [ - "clubs" - ]; - }; - "wiki" = { - anubisConfig = "${anubisChallenge}"; - target = "[fd00::10:0:ff:fe01:6110]"; # l'ipv4 marche pas - serverAliases = [ - "wikipedia" - ]; - }; - }; - }; - - services = { - acme.enable = true; - }; }; system.stateVersion = "25.05"; diff --git a/hosts/vm/reverseproxy/reverseproxy.nix b/hosts/vm/reverseproxy/reverseproxy.nix new file mode 100644 index 0000000..c3315cc --- /dev/null +++ b/hosts/vm/reverseproxy/reverseproxy.nix @@ -0,0 +1,198 @@ +{ pkgs, ... }: + +let + anubisBotsMirror = pkgs.writeText "anubis_bots_mirror.yaml" + '' + - name: whitelist-crans + action: ALLOW + remote_addresses: + - 185.230.79.0/22 + - 2a0c:700::/32 + - 46.105.102.188/32 + - 2001:41d0:2:d5bc::/128 + + - name: no-user-agent-string + action: DENY + expression: userAgent == "" + + - name: ban-gpt + user_agent_regex: ".*gpt.*" + action: DENY + + - name: ban-bot + user_agent_regex: ".*(b|B)ot.*" + action: DENY + + - name: ban-WebKit + action: DENY + expression: + all: + - userAgent.startsWith("Mozilla") + - userAgent.matches("AppleWebKit") + - userAgent.matches("Safari") + - userAgent.matches("Chrome") + + - name: ban-Barkrowler + user_agent_regex: ".*Barkrowler.*" + action: DENY + ''; + anubisMirror = pkgs.writeText "anubis_mirror.json" + '' + { + "bots": [ + { + "import": "${anubisBotsMirror}" + }, + { + "name": "allow-repo", + "path_regex": "^...*", + "action": "ALLOW" + }, + { + "name": "deny-other", + "path_regex": ".*", + "action": "ALLOW" + } + ] + } + ''; + antibot = pkgs.writeText "antibot.yaml" + '' + - name: whitelist-crans + action: ALLOW + remote_addresses: + - 185.230.79.0/22 + - 2a0c:700::/32 + - 46.105.102.188/32 + - 2001:41d0:2:d5bc::/128 + + - name: no-user-agent-string + action: DENY + expression: userAgent == "" + + - name: ban-gpt + user_agent_regex: ".*gpt.*" + action: DENY + + - name: ban-bot + user_agent_regex: ".*(b|B)ot.*" + action: DENY + + - name: ban-WebKit + action: CHALLENGE + expression: + all: + - userAgent.startsWith("Mozilla") + - userAgent.matches("AppleWebKit") + - userAgent.matches("Safari") + - userAgent.matches("Chrome") + + - name: ban-Barkrowler + user_agent_regex: ".*Barkrowler.*" + action: DENY + ''; + anubisChallenge = pkgs.writeText "anubis_challenge.json" + '' + { + "bots": [ + { + "import": "${antibot}" + }, + { + "name": "challenge-other", + "path_regex": "^*", + "action": "CHALLENGE" + } + ] + } + ''; + anubisMirrors = pkgs.writeText "anubis_mirrors.json" + '' + { + "bots": [ + { + "import": "${antibot}" + }, + { + "name": "deny-other", + "path_regex": ".*cdimage-.*", + "action": "ALLOW" + }, + { + "name": "allow-repo", + "path_regex": "^...*", + "action": "ALLOW" + }, + { + "name": "deny-other", + "path_regex": ".*", + "action": "CHALLENGE" + } + ] + } + ''; +in { + crans = { + reverseProxy = { + enable = true; + virtualHosts = { + "eclat" = { + anubisConfig = "${anubisMirror}"; + httpOnly = true; + target = "172.16.10.104"; + }; + "eclats" = { + anubisConfig = "${anubisMirrors}"; + target = "172.16.10.104"; + }; + "install-party" = { + anubisConfig = "${anubisChallenge}"; + target = "/var/www/install-party.crans.org"; + serverAliases = [ + "i-p" + "adopteunmanchot" + "adopteunpingouin" + ]; + }; + "lists" = { + anubisConfig = "${anubisChallenge}"; + target = "172.16.10.110"; + }; + "mediawiki" = { + anubisConfig = "${anubisChallenge}"; + target = "172.16.10.144"; + serverAliases = [ + "mediakiwi" + ]; + }; + "mirrors" = { + anubisConfig = "${anubisMirrors}"; + target = "172.16.10.104"; + }; + "mirror" = { + anubisConfig = "${anubisMirror}"; + httpOnly = true; + target = "172.16.10.104"; + }; + "perso" = { + anubisConfig = "${anubisChallenge}"; + target = "172.16.10.31"; + serverAliases = [ + "clubs" + ]; + }; + "wiki" = { + anubisConfig = "${anubisChallenge}"; + target = "[fd00::10:0:ff:fe01:6110]"; # l'ipv4 marche pas + serverAliases = [ + "wikipedia" + ]; + }; + }; + }; + + services = { + acme.enable = true; + }; + }; +}