From 0bfacad632a1ae6251ed6413da754b691d505534 Mon Sep 17 00:00:00 2001 From: Lzebulon Date: Sun, 13 Jul 2025 13:24:38 +0200 Subject: [PATCH 1/9] authorise les crawlers des moteurs de recherche --- hosts/vm/reverseproxy/reverseproxy.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hosts/vm/reverseproxy/reverseproxy.nix b/hosts/vm/reverseproxy/reverseproxy.nix index c3315cc..9b0fa01 100644 --- a/hosts/vm/reverseproxy/reverseproxy.nix +++ b/hosts/vm/reverseproxy/reverseproxy.nix @@ -66,6 +66,10 @@ let - 46.105.102.188/32 - 2001:41d0:2:d5bc::/128 + # on authorise les indexers des moteurs de recherche, liste dispo ici : + # https://github.com/TecharoHQ/anubis/blob/main/data/crawlers/_allow-good.yaml + - import: (data)/crawlers/_allow-good.yaml + - name: no-user-agent-string action: DENY expression: userAgent == "" From eca3c260b7e338c25a0b59495b571123fa79094c Mon Sep 17 00:00:00 2001 From: Lzebulon Date: Sun, 13 Jul 2025 14:06:39 +0200 Subject: [PATCH 2/9] meilleur filtres avec list predefinie par anubis --- hosts/vm/reverseproxy/reverseproxy.nix | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/hosts/vm/reverseproxy/reverseproxy.nix b/hosts/vm/reverseproxy/reverseproxy.nix index 9b0fa01..d1a0806 100644 --- a/hosts/vm/reverseproxy/reverseproxy.nix +++ b/hosts/vm/reverseproxy/reverseproxy.nix @@ -66,13 +66,26 @@ let - 46.105.102.188/32 - 2001:41d0:2:d5bc::/128 + # les bots qui font souvent de la merde + # https://github.com/TecharoHQ/anubis/blob/main/data/bots/deny-pathological.yaml + - import: (data)/bots/_deny-pathological.yaml + # on authorise les indexers des moteurs de recherche, liste dispo ici : # https://github.com/TecharoHQ/anubis/blob/main/data/crawlers/_allow-good.yaml - import: (data)/crawlers/_allow-good.yaml - - name: no-user-agent-string - action: DENY - expression: userAgent == "" + # authorise l'accès à favicon, robots.txt, well-known + # https://github.com/TecharoHQ/anubis/blob/main/data/common/keep-internet-working.yaml + - import: (data)/common/keep-internet-working.yaml + + # refuse si userAgent = "" + # https://github.com/TecharoHQ/anubis/blob/main/data/common/keep-internet-working.yaml + - import: (data)/common/rfc-violations.yaml + + + # Bloque les AI aggressivement (bots/agent, training et user search par IA) + # https://github.com/TecharoHQ/anubis/blob/main/data/meta/ai-block-aggressive.yaml + - import: (data)/meta/ai-block-aggressive.yaml - name: ban-gpt user_agent_regex: ".*gpt.*" From 998c6c590e1e1822f186f00f633582cacfe661d3 Mon Sep 17 00:00:00 2001 From: Lzebulon Date: Sun, 13 Jul 2025 14:28:41 +0200 Subject: [PATCH 3/9] update flake.lock --- flake.lock | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/flake.lock b/flake.lock index 9c68f69..f7f526a 100644 --- a/flake.lock +++ b/flake.lock @@ -10,11 +10,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1747575206, - "narHash": "sha256-NwmAFuDUO/PFcgaGGr4j3ozG9Pe5hZ/ogitWhY+D81k=", + "lastModified": 1750173260, + "narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=", "owner": "ryantm", "repo": "agenix", - "rev": "4835b1dc898959d8547a871ef484930675cb47f1", + "rev": "531beac616433bac6f9e2a19feb8e99a22a66baf", "type": "github" }, "original": { @@ -50,11 +50,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1743550720, - "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=", + "lastModified": 1751413152, + "narHash": "sha256-Tyw1RjYEsp5scoigs1384gIg6e0GoBVjms4aXFfRssQ=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "c621e8422220273271f52058f618c94e405bb0f5", + "rev": "77826244401ea9de6e3bac47c2db46005e1f30b5", "type": "github" }, "original": { @@ -86,11 +86,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1747953325, - "narHash": "sha256-y2ZtlIlNTuVJUZCqzZAhIw5rrKP4DOSklev6c8PyCkQ=", + "lastModified": 1752162966, + "narHash": "sha256-3MxxkU8ZXMHXcbFz7UE4M6qnIPTYGcE/7EMqlZNnVDE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "55d1f923c480dadce40f5231feb472e81b0bab48", + "rev": "10e687235226880ed5e9f33f1ffa71fe60f2638a", "type": "github" }, "original": { @@ -102,11 +102,11 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1743296961, - "narHash": "sha256-b1EdN3cULCqtorQ4QeWgLMrd5ZGOjLSLemfa00heasc=", + "lastModified": 1751159883, + "narHash": "sha256-urW/Ylk9FIfvXfliA1ywh75yszAbiTEVgpPeinFyVZo=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "e4822aea2a6d1cdd36653c134cacfd64c97ff4fa", + "rev": "14a40a1d7fb9afa4739275ac642ed7301a9ba1ab", "type": "github" }, "original": { @@ -145,11 +145,11 @@ ] }, "locked": { - "lastModified": 1747912973, - "narHash": "sha256-XgxghfND8TDypxsMTPU2GQdtBEsHTEc3qWE6RVEk8O0=", + "lastModified": 1752055615, + "narHash": "sha256-19m7P4O/Aw/6+CzncWMAJu89JaKeMh3aMle1CNQSIwM=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "020cb423808365fa3f10ff4cb8c0a25df35065a3", + "rev": "c9d477b5d5bd7f26adddd3f96cfd6a904768d4f9", "type": "github" }, "original": { From 0297fbc4725ce11e1856446e97d50c7a4a489901 Mon Sep 17 00:00:00 2001 From: Lzebulon Date: Sat, 2 Aug 2025 16:49:19 +0200 Subject: [PATCH 4/9] add collabora to reverseproxy --- hosts/vm/reverseproxy/reverseproxy.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hosts/vm/reverseproxy/reverseproxy.nix b/hosts/vm/reverseproxy/reverseproxy.nix index d1a0806..40ee67f 100644 --- a/hosts/vm/reverseproxy/reverseproxy.nix +++ b/hosts/vm/reverseproxy/reverseproxy.nix @@ -153,6 +153,9 @@ in { reverseProxy = { enable = true; virtualHosts = { + "collabora" = { + target = "172.16.10.149"; + }; "eclat" = { anubisConfig = "${anubisMirror}"; httpOnly = true; From 4d021eedff42063d65b4dad0b70212d97c5d746e Mon Sep 17 00:00:00 2001 From: Lzebulon Date: Sat, 2 Aug 2025 18:21:07 +0200 Subject: [PATCH 5/9] add proxyWebsockets option --- hosts/vm/reverseproxy/reverseproxy.nix | 1 + modules/services/reverseproxy.nix | 12 ++++++++++++ 2 files changed, 13 insertions(+) diff --git a/hosts/vm/reverseproxy/reverseproxy.nix b/hosts/vm/reverseproxy/reverseproxy.nix index 40ee67f..e24eaa5 100644 --- a/hosts/vm/reverseproxy/reverseproxy.nix +++ b/hosts/vm/reverseproxy/reverseproxy.nix @@ -155,6 +155,7 @@ in { virtualHosts = { "collabora" = { target = "172.16.10.149"; + proxyWebsockets = true; }; "eclat" = { anubisConfig = "${anubisMirror}"; diff --git a/modules/services/reverseproxy.nix b/modules/services/reverseproxy.nix index 177093c..15328c6 100644 --- a/modules/services/reverseproxy.nix +++ b/modules/services/reverseproxy.nix @@ -75,6 +75,15 @@ in ''; example = "true"; }; + + proxyWebSockets = mkOption { + type = types.bool; + default = false; + description = '' + Activer les websockets + ''; + example = "true"; + }; }; } ); @@ -135,6 +144,7 @@ in locations = mkIf ((substring 0 1 vhostConfig.target) != "/") { "/favicon.ico".root = "/var/www/logo/"; "/".proxyPass = "http://${vhostConfig.target}"; + "/".proxyWebsockets = vhostConfig.proxyWebsockets; }; root = mkIf ((substring 0 1 vhostConfig.target) == "/") vhostConfig.target; listen = [ @@ -157,6 +167,7 @@ in "${vhostName}.crans.eu" ] ++ map (value: value.name + "." + value.domaine) aliases; globalRedirect = "${vhostName}.crans.org"; + locations."/".proxyWebsockets = vhostConfig.proxyWebsockets; } ) cfg.virtualHosts; anubisConfig = mapAttrs' ( @@ -165,6 +176,7 @@ in forceSSL = !vhostConfig.httpOnly; rejectSSL = vhostConfig.httpOnly; locations."/".proxyPass = "http://unix:/run/anubis/anubis-${vhostName}.sock"; + locations."/".proxyWebsockets = vhostConfig.proxyWebsockets; serverName = "${vhostName}.crans.org"; } ) cfg.virtualHosts; From 3fe04b474d9949c522fdf21422ce5cd9bbec450c Mon Sep 17 00:00:00 2001 From: Lzebulon Date: Sat, 2 Aug 2025 18:24:08 +0200 Subject: [PATCH 6/9] fix typo --- hosts/vm/reverseproxy/reverseproxy.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/vm/reverseproxy/reverseproxy.nix b/hosts/vm/reverseproxy/reverseproxy.nix index e24eaa5..83d024f 100644 --- a/hosts/vm/reverseproxy/reverseproxy.nix +++ b/hosts/vm/reverseproxy/reverseproxy.nix @@ -155,7 +155,7 @@ in { virtualHosts = { "collabora" = { target = "172.16.10.149"; - proxyWebsockets = true; + proxyWebSockets = true; }; "eclat" = { anubisConfig = "${anubisMirror}"; From 89f9038adfe61bfd74967a5a8a0a0857bc338295 Mon Sep 17 00:00:00 2001 From: Lzebulon Date: Sat, 2 Aug 2025 18:26:45 +0200 Subject: [PATCH 7/9] fix typo v2 --- hosts/vm/reverseproxy/reverseproxy.nix | 2 +- modules/services/reverseproxy.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/vm/reverseproxy/reverseproxy.nix b/hosts/vm/reverseproxy/reverseproxy.nix index 83d024f..e24eaa5 100644 --- a/hosts/vm/reverseproxy/reverseproxy.nix +++ b/hosts/vm/reverseproxy/reverseproxy.nix @@ -155,7 +155,7 @@ in { virtualHosts = { "collabora" = { target = "172.16.10.149"; - proxyWebSockets = true; + proxyWebsockets = true; }; "eclat" = { anubisConfig = "${anubisMirror}"; diff --git a/modules/services/reverseproxy.nix b/modules/services/reverseproxy.nix index 15328c6..a225052 100644 --- a/modules/services/reverseproxy.nix +++ b/modules/services/reverseproxy.nix @@ -76,7 +76,7 @@ in example = "true"; }; - proxyWebSockets = mkOption { + proxyWebsockets = mkOption { type = types.bool; default = false; description = '' From eb806aa9fbd6f65dcd7e593234b4f05398cdb698 Mon Sep 17 00:00:00 2001 From: Lzebulon Date: Sat, 2 Aug 2025 18:35:54 +0200 Subject: [PATCH 8/9] fix double location "/" --- modules/services/reverseproxy.nix | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/modules/services/reverseproxy.nix b/modules/services/reverseproxy.nix index a225052..a67287f 100644 --- a/modules/services/reverseproxy.nix +++ b/modules/services/reverseproxy.nix @@ -143,8 +143,10 @@ in vhostName: vhostConfig: { locations = mkIf ((substring 0 1 vhostConfig.target) != "/") { "/favicon.ico".root = "/var/www/logo/"; - "/".proxyPass = "http://${vhostConfig.target}"; - "/".proxyWebsockets = vhostConfig.proxyWebsockets; + "/" = { + proxyPass = "http://${vhostConfig.target}"; + proxyWebsockets = vhostConfig.proxyWebsockets; + }; }; root = mkIf ((substring 0 1 vhostConfig.target) == "/") vhostConfig.target; listen = [ @@ -167,7 +169,7 @@ in "${vhostName}.crans.eu" ] ++ map (value: value.name + "." + value.domaine) aliases; globalRedirect = "${vhostName}.crans.org"; - locations."/".proxyWebsockets = vhostConfig.proxyWebsockets; + # locations."/".proxyWebsockets = vhostConfig.proxyWebsockets; } ) cfg.virtualHosts; anubisConfig = mapAttrs' ( @@ -175,8 +177,10 @@ in enableACME = !vhostConfig.httpOnly; forceSSL = !vhostConfig.httpOnly; rejectSSL = vhostConfig.httpOnly; - locations."/".proxyPass = "http://unix:/run/anubis/anubis-${vhostName}.sock"; - locations."/".proxyWebsockets = vhostConfig.proxyWebsockets; + locations."/" = { + proxyPass = "http://unix:/run/anubis/anubis-${vhostName}.sock"; + proxyWebsockets = vhostConfig.proxyWebsockets; + }; serverName = "${vhostName}.crans.org"; } ) cfg.virtualHosts; From 0a54a27b78bbb24b7137d628a8bd5ab7acc4ec0c Mon Sep 17 00:00:00 2001 From: RatCornu Date: Sun, 3 Aug 2025 15:35:31 +0200 Subject: [PATCH 9/9] Nettoyage de la configuration et du module reverseproxy --- hosts/vm/reverseproxy/reverseproxy.nix | 255 ++++++++++++------------- modules/services/reverseproxy.nix | 164 ++++++++-------- 2 files changed, 203 insertions(+), 216 deletions(-) diff --git a/hosts/vm/reverseproxy/reverseproxy.nix b/hosts/vm/reverseproxy/reverseproxy.nix index e24eaa5..f2ca654 100644 --- a/hosts/vm/reverseproxy/reverseproxy.nix +++ b/hosts/vm/reverseproxy/reverseproxy.nix @@ -1,154 +1,141 @@ { pkgs, ... }: let - anubisBotsMirror = pkgs.writeText "anubis_bots_mirror.yaml" - '' - - name: whitelist-crans - action: ALLOW - remote_addresses: - - 185.230.79.0/22 - - 2a0c:700::/32 - - 46.105.102.188/32 - - 2001:41d0:2:d5bc::/128 + formatJSON = pkgs.formats.json { }; + formatYAML = pkgs.formats.yaml { }; - - name: no-user-agent-string - action: DENY - expression: userAgent == "" + anubisBotsMirror = formatYAML.generate "anubis_bots_mirror.yaml" [ + { + name = "whitelist-crans"; + action = "ALLOW"; + remote_addresses = [ + "185.230.79.0/22" + "2a0c:700::/32" + "46.105.102.188/32" + "2001:41d0:2:d5bc::/128" + ]; + } + { + name = "no-user-agent"; + action = "DENY"; + expression = "userAgent == \"\""; + } + { + name = "ban-gpt"; + action = "DENY"; + user_agent_regex = ".*gpt.*"; + } + { + name = "ban-bot"; + action = "DENY"; + user_agent_regex = ".*(b|B)ot.*"; + } + { + name = "ban-WebKit"; + action = "DENY"; + expression = { + all = [ + "userAgent.startsWith(\"Mozilla\")" + "userAgent.startsWith(\"AppleWebKit\")" + "userAgent.startsWith(\"Safari\")" + "userAgent.startsWith(\"Chrome\")" + ]; + }; + } + { + name = "ban-Barkrowler"; + action = "DENY"; + user_agent_regex = ".*Barkrowler.*"; + } + ]; - - name: ban-gpt - user_agent_regex: ".*gpt.*" - action: DENY - - - name: ban-bot - user_agent_regex: ".*(b|B)ot.*" - action: DENY - - - name: ban-WebKit - action: DENY - expression: - all: - - userAgent.startsWith("Mozilla") - - userAgent.matches("AppleWebKit") - - userAgent.matches("Safari") - - userAgent.matches("Chrome") - - - name: ban-Barkrowler - user_agent_regex: ".*Barkrowler.*" - action: DENY - ''; - anubisMirror = pkgs.writeText "anubis_mirror.json" - '' + anubisMirror = formatJSON.generate "anubis_mirror.json" { + bots = [ { - "bots": [ - { - "import": "${anubisBotsMirror}" - }, - { - "name": "allow-repo", - "path_regex": "^...*", - "action": "ALLOW" - }, - { - "name": "deny-other", - "path_regex": ".*", - "action": "ALLOW" - } - ] + import = "${anubisBotsMirror}"; } - ''; - antibot = pkgs.writeText "antibot.yaml" - '' - - name: whitelist-crans - action: ALLOW - remote_addresses: - - 185.230.79.0/22 - - 2a0c:700::/32 - - 46.105.102.188/32 - - 2001:41d0:2:d5bc::/128 + { + name = "allow-repo"; + action = "ALLOW"; + path_regex = "^...*"; + } + { + name = "deny-other"; + path_regex = ".*"; + action = "ALLOW"; + } + ]; + }; - # les bots qui font souvent de la merde + antiBot = formatYAML.generate "antibot.yaml" [ + { + import = "${anubisBotsMirror}"; + } + { + # On refuse les bots qui font souvent de la merde. # https://github.com/TecharoHQ/anubis/blob/main/data/bots/deny-pathological.yaml - - import: (data)/bots/_deny-pathological.yaml - - # on authorise les indexers des moteurs de recherche, liste dispo ici : + import = "(data)/bots/_deny-pathological.yaml"; + } + { + # On autorise les indexers des moteurs de recherche. # https://github.com/TecharoHQ/anubis/blob/main/data/crawlers/_allow-good.yaml - - import: (data)/crawlers/_allow-good.yaml - - # authorise l'accès à favicon, robots.txt, well-known + import = "(data)/crawlers/_allow-good.yaml"; + } + { + # On autorise l'accès à favicon, robots.txt, well-known, ... # https://github.com/TecharoHQ/anubis/blob/main/data/common/keep-internet-working.yaml - - import: (data)/common/keep-internet-working.yaml - - # refuse si userAgent = "" + import = "(data)/common/keep-internet-working.yaml"; + } + { + # On refuse si userAgent = "" # https://github.com/TecharoHQ/anubis/blob/main/data/common/keep-internet-working.yaml - - import: (data)/common/rfc-violations.yaml - - - # Bloque les AI aggressivement (bots/agent, training et user search par IA) + import = "(data)/common/rfc-violations.yaml"; + } + { + # On bloque les AI aggressivement (bots/agent, training et user search par IA) # https://github.com/TecharoHQ/anubis/blob/main/data/meta/ai-block-aggressive.yaml - - import: (data)/meta/ai-block-aggressive.yaml + import = "(data)/meta/ai-block-aggressive.yaml"; + } + ]; - - name: ban-gpt - user_agent_regex: ".*gpt.*" - action: DENY - - - name: ban-bot - user_agent_regex: ".*(b|B)ot.*" - action: DENY - - - name: ban-WebKit - action: CHALLENGE - expression: - all: - - userAgent.startsWith("Mozilla") - - userAgent.matches("AppleWebKit") - - userAgent.matches("Safari") - - userAgent.matches("Chrome") - - - name: ban-Barkrowler - user_agent_regex: ".*Barkrowler.*" - action: DENY - ''; - anubisChallenge = pkgs.writeText "anubis_challenge.json" - '' + anubisChallenge = formatJSON.generate "anubis_challenge.json" { + "bots" = [ { - "bots": [ - { - "import": "${antibot}" - }, - { - "name": "challenge-other", - "path_regex": "^*", - "action": "CHALLENGE" - } - ] + import = "${antiBot}"; } - ''; - anubisMirrors = pkgs.writeText "anubis_mirrors.json" - '' { - "bots": [ - { - "import": "${antibot}" - }, - { - "name": "deny-other", - "path_regex": ".*cdimage-.*", - "action": "ALLOW" - }, - { - "name": "allow-repo", - "path_regex": "^...*", - "action": "ALLOW" - }, - { - "name": "deny-other", - "path_regex": ".*", - "action": "CHALLENGE" - } - ] - } - ''; -in { + name = "challenge-other"; + path_regex = "^*"; + action = "CHALLENGE"; + } + ]; + }; + + anubisMirrors = formatJSON.generate "anubis_mirrors.json" { + "bots" = [ + { + import = "${antiBot}"; + } + { + name = "deny-other"; + path_regex = ".*cdimage-.*"; + action = "ALLOW"; + } + { + name = "allow-repo"; + path_regex = "^...*"; + action = "ALLOW"; + } + { + name = "deny-other"; + path_regex = ".*"; + action = "CHALLENGE"; + } + ]; + }; + +in +{ crans = { reverseProxy = { enable = true; diff --git a/modules/services/reverseproxy.nix b/modules/services/reverseproxy.nix index a67287f..fac16cd 100644 --- a/modules/services/reverseproxy.nix +++ b/modules/services/reverseproxy.nix @@ -1,30 +1,36 @@ -{ pkgs, lib, config, ... }: +{ + pkgs, + lib, + config, + ... +}: let cfg = config.crans.reverseProxy; - allowAll = pkgs.writeText "allow_all.json" - '' + formatJSON = pkgs.formats.json { }; + + allowAll = formatJSON.generate "allow_all.json" { + bots = [ { - "bots": [ - { - "name": "allow_all", - "path_regex": ".*", - "action": "ALLOW" - } - ] + name = "allow_all"; + path_regex = ".*"; + action = "ALLOW"; } - ''; + ]; + }; + + mainTld = "org"; + otherTld = [ + "fr" + "eu" + ]; + inherit (lib) - cartesianProduct literalExpression - mapAttrs - mapAttrs' mkEnableOption mkIf mkOption - nameValuePair - substring types ; in @@ -87,7 +93,9 @@ in }; } ); - default = {}; + + default = { }; + example = literalExpression '' { "framadate" = { @@ -104,76 +112,33 @@ in }; config = { - systemd.services = mapAttrs ( - vhostName: vhostConfig: { - wantedBy = [ "multi-user.target" ]; - } - ) cfg.virtualHosts; + systemd.services = lib.mapAttrs (vhostName: vhostConfig: { + wantedBy = [ "multi-user.target" ]; + }) cfg.virtualHosts; services = mkIf cfg.enable { anubis = { defaultOptions.group = "nginx"; - instances = mapAttrs ( - vhostName: vhostConfig: { - enable = true; - settings = { - BIND = "/run/anubis/anubis-${vhostName}.sock"; - BIND_NETWORK = "unix"; - TARGET = "unix:///run/nginx/nginx-${vhostName}.sock"; - COOKIE_DOMAIN = "crans.org"; - REDIRECT_DOMAINS = "${vhostName}.crans.org"; - SOCKET_MODE = "0660"; - POLICY_FNAME = - if (vhostConfig.anubisConfig == "") - then allowAll - else vhostConfig.anubisConfig; - }; - } - ) cfg.virtualHosts; + instances = lib.mapAttrs (vhostName: vhostConfig: { + enable = true; + settings = { + BIND = "/run/anubis/anubis-${vhostName}.sock"; + BIND_NETWORK = "unix"; + TARGET = "unix:///run/nginx/nginx-${vhostName}.sock"; + COOKIE_DOMAIN = "crans.org"; + REDIRECT_DOMAINS = "${vhostName}.crans.org"; + SOCKET_MODE = "0660"; + POLICY_FNAME = if (vhostConfig.anubisConfig == "") then "${allowAll}" else vhostConfig.anubisConfig; + }; + }) cfg.virtualHosts; }; nginx = let - domaines = [ - "crans.org" - "crans.fr" - "crans.eu" - ]; - redirectConfig = mapAttrs ( - vhostName: vhostConfig: { - locations = mkIf ((substring 0 1 vhostConfig.target) != "/") { - "/favicon.ico".root = "/var/www/logo/"; - "/" = { - proxyPass = "http://${vhostConfig.target}"; - proxyWebsockets = vhostConfig.proxyWebsockets; - }; - }; - root = mkIf ((substring 0 1 vhostConfig.target) == "/") vhostConfig.target; - listen = [ - { addr = "unix:/run/nginx/nginx-${vhostName}.sock"; } - ]; - } - ) cfg.virtualHosts; - aliasConfig = mapAttrs' ( - vhostName: vhostConfig: nameValuePair (vhostName + "-alias") { - enableACME = !vhostConfig.httpOnly; - forceSSL = !vhostConfig.httpOnly; - rejectSSL = vhostConfig.httpOnly; - serverName = "${vhostName}.crans.fr"; - serverAliases = let - aliases = cartesianProduct { - name = vhostConfig.serverAliases; - domaine = domaines; - }; - in [ - "${vhostName}.crans.eu" - ] ++ map (value: value.name + "." + value.domaine) aliases; - globalRedirect = "${vhostName}.crans.org"; - # locations."/".proxyWebsockets = vhostConfig.proxyWebsockets; - } - ) cfg.virtualHosts; - anubisConfig = mapAttrs' ( - vhostName: vhostConfig: nameValuePair (vhostName + "-anubis") { + # Configuration du serveur principal. + mainConfig = lib.mapAttrs' ( + vhostName: vhostConfig: + lib.nameValuePair (vhostName + "-anubis") { enableACME = !vhostConfig.httpOnly; forceSSL = !vhostConfig.httpOnly; rejectSSL = vhostConfig.httpOnly; @@ -181,12 +146,47 @@ in proxyPass = "http://unix:/run/anubis/anubis-${vhostName}.sock"; proxyWebsockets = vhostConfig.proxyWebsockets; }; - serverName = "${vhostName}.crans.org"; + serverName = "${vhostName}.crans.${mainTld}"; } ) cfg.virtualHosts; - in { + + # Redirections + redirectConfig = lib.mapAttrs (vhostName: vhostConfig: { + # Redirection vers d'autres machines + locations = mkIf (!lib.strings.hasPrefix "/" vhostConfig.target) { + "/favicon.ico".root = "/var/www/logo/"; + "/" = { + proxyPass = "http://${vhostConfig.target}"; + proxyWebsockets = vhostConfig.proxyWebsockets; + }; + }; + # Redirection vers des fichiers locaux + root = mkIf (lib.strings.hasPrefix "/" vhostConfig.target) vhostConfig.target; + listen = [ + { addr = "unix:/run/nginx/nginx-${vhostName}.sock"; } + ]; + }) cfg.virtualHosts; + + # Configuration des alias .fr et .eu + aliasConfig = lib.fold ( + tld: acc: + acc + // lib.mapAttrs' ( + vhostName: vhostConfig: + lib.nameValuePair "${vhostName}-alias-${tld}" rec { + rejectSSL = vhostConfig.httpOnly; + forceSSL = !rejectSSL; + enableACME = !rejectSSL; + serverName = "${vhostName}.crans.${tld}"; + serverAliases = map (name: "${name}.crans.${tld}") vhostConfig.serverAliases; + globalRedirect = "${vhostName}.crans.${mainTld}"; + } + ) cfg.virtualHosts + ) { } otherTld; + in + { enable = true; - virtualHosts = redirectConfig // aliasConfig // anubisConfig; + virtualHosts = redirectConfig // aliasConfig // mainConfig; }; }; };