From b639cfb18aed6e8c71bfe06036a8be4f4e8a1306 Mon Sep 17 00:00:00 2001 From: korenstin Date: Sat, 28 Jun 2025 14:38:40 +0200 Subject: [PATCH] Reload de anubis, ajout de eclat et ajout de redirection pour favicon.ico --- hosts/vm/reverseproxy/anubis.nix | 71 ---------------- hosts/vm/reverseproxy/default.nix | 7 +- modules/services/reverseproxy.nix | 137 ++++++++++++++++-------------- 3 files changed, 79 insertions(+), 136 deletions(-) delete mode 100644 hosts/vm/reverseproxy/anubis.nix diff --git a/hosts/vm/reverseproxy/anubis.nix b/hosts/vm/reverseproxy/anubis.nix deleted file mode 100644 index 3693ca8..0000000 --- a/hosts/vm/reverseproxy/anubis.nix +++ /dev/null @@ -1,71 +0,0 @@ -{ pkgs, ... }: - -let - anubisBotsMirror = pkgs.writeText "anubis_bots_mirror.yaml" '' - - name: whitelist-crans - action: ALLOW - remote_addresses: - - 185.230.79.0/22 - - 2a0c:700::/32 - - 46.105.102.188/32 - - 2001:41d0:2:d5bc::/128 - - - name: no-user-agent-string - action: DENY - expression: userAgent == "" - - - name: ban-gpt - user_agent_regex: ".*gpt.*" - action: DENY - - - name: ban-bot - user_agent_regex: ".*(b|B)ot.*" - action: DENY - - - name: ban-WebKit - action: DENY - expression: - all: - - userAgent.startsWith("Mozilla") - - userAgent.matches("AppleWebKit") - - userAgent.matches("Safari") - - userAgent.matches("Chrome") - - - name: ban-Barkrowler - user_agent_regex: ".*Barkrowler.*" - action: DENY - ''; - anubisMirror = pkgs.writeText "anubis_mirror.json" '' - { - "bots": [ - { - "import": "${anubisBotsMirror}" - }, - { - "name": "allow-repo", - "path_regex": "^...*", - "action": "ALLOW" - }, - { - "name": "deny-other", - "path_regex": ".*", - "action": "ALLOW" - } - ] - } - ''; -in { - services.anubis = { - instances."mirror" = { - enable = true; - settings = { - BIND_NETWORK = "tcp"; - BIND = "127.0.0.1:7779"; - TARGET = "http://localhost:8890"; - COOKIE_DOMAIN = "crans.org"; - REDIRECT_DOMAINS = "eclat.crans.org,mirror.crans.org"; - POLICY_FNAME = "${anubisMirror}"; - }; - }; - }; -} diff --git a/hosts/vm/reverseproxy/default.nix b/hosts/vm/reverseproxy/default.nix index 4dd7c56..44d747d 100644 --- a/hosts/vm/reverseproxy/default.nix +++ b/hosts/vm/reverseproxy/default.nix @@ -161,6 +161,11 @@ in { enable = true; virtualHosts = { + "eclat" = { + anubisConfig = "${anubisMirror}"; + httpOnly = true; + target = "172.16.10.104"; + }; "eclats" = { anubisConfig = "${anubisMirrors}"; target = "172.16.10.104"; @@ -199,7 +204,7 @@ in { }; "wiki" = { anubisConfig = "${anubisChallenge}"; - target = "172.16.10.161"; + target = "[fd00::10:0:ff:fe01:6110]"; # l'ipv4 marche pas serverAliases = [ "wikipedia" ]; diff --git a/modules/services/reverseproxy.nix b/modules/services/reverseproxy.nix index b8e45fd..177093c 100644 --- a/modules/services/reverseproxy.nix +++ b/modules/services/reverseproxy.nix @@ -94,75 +94,84 @@ in }; }; - config.services = mkIf cfg.enable { - anubis = { - defaultOptions.group = "nginx"; - instances = mapAttrs ( - vhostName: vhostConfig: { - enable = true; - settings = { - BIND = "/run/anubis/anubis-${vhostName}.sock"; - BIND_NETWORK = "unix"; - TARGET = "unix:///run/nginx/nginx-${vhostName}.sock"; - COOKIE_DOMAIN = "crans.org"; - REDIRECT_DOMAINS = "${vhostName}.crans.org"; - SOCKET_MODE = "0660"; - POLICY_FNAME = - if (vhostConfig.anubisConfig == "") - then allowAll - else vhostConfig.anubisConfig; - }; - } - ) cfg.virtualHosts; - }; + config = { + systemd.services = mapAttrs ( + vhostName: vhostConfig: { + wantedBy = [ "multi-user.target" ]; + } + ) cfg.virtualHosts; - nginx = - let - domaines = [ - "crans.org" - "crans.fr" - "crans.eu" - ]; - redirectConfig = mapAttrs ( + services = mkIf cfg.enable { + anubis = { + defaultOptions.group = "nginx"; + instances = mapAttrs ( vhostName: vhostConfig: { - locations = mkIf ((substring 0 1 vhostConfig.target) != "/") { - "/".proxyPass = "http://${vhostConfig.target}"; + enable = true; + settings = { + BIND = "/run/anubis/anubis-${vhostName}.sock"; + BIND_NETWORK = "unix"; + TARGET = "unix:///run/nginx/nginx-${vhostName}.sock"; + COOKIE_DOMAIN = "crans.org"; + REDIRECT_DOMAINS = "${vhostName}.crans.org"; + SOCKET_MODE = "0660"; + POLICY_FNAME = + if (vhostConfig.anubisConfig == "") + then allowAll + else vhostConfig.anubisConfig; }; - root = mkIf ((substring 0 1 vhostConfig.target) == "/") vhostConfig.target; - listen = [ - { addr = "unix:/run/nginx/nginx-${vhostName}.sock"; } - ]; } ) cfg.virtualHosts; - aliasConfig = mapAttrs' ( - vhostName: vhostConfig: nameValuePair (vhostName + "-alias") { - enableACME = !vhostConfig.httpOnly; - forceSSL = !vhostConfig.httpOnly; - rejectSSL = vhostConfig.httpOnly; - serverName = "${vhostName}.crans.fr"; - serverAliases = let - aliases = cartesianProduct { - name = vhostConfig.serverAliases; - domaine = domaines; - }; - in [ - "${vhostName}.crans.eu" - ] ++ map (value: value.name + "." + value.domaine) aliases; - globalRedirect = "${vhostName}.crans.org"; - } - ) cfg.virtualHosts; - anubisConfig = mapAttrs' ( - vhostName: vhostConfig: nameValuePair (vhostName + "-anubis") { - enableACME = !vhostConfig.httpOnly; - forceSSL = !vhostConfig.httpOnly; - rejectSSL = vhostConfig.httpOnly; - locations."/".proxyPass = "http://unix:/run/anubis/anubis-${vhostName}.sock"; - serverName = "${vhostName}.crans.org"; - } - ) cfg.virtualHosts; - in { - enable = true; - virtualHosts = redirectConfig // aliasConfig // anubisConfig; }; + + nginx = + let + domaines = [ + "crans.org" + "crans.fr" + "crans.eu" + ]; + redirectConfig = mapAttrs ( + vhostName: vhostConfig: { + locations = mkIf ((substring 0 1 vhostConfig.target) != "/") { + "/favicon.ico".root = "/var/www/logo/"; + "/".proxyPass = "http://${vhostConfig.target}"; + }; + root = mkIf ((substring 0 1 vhostConfig.target) == "/") vhostConfig.target; + listen = [ + { addr = "unix:/run/nginx/nginx-${vhostName}.sock"; } + ]; + } + ) cfg.virtualHosts; + aliasConfig = mapAttrs' ( + vhostName: vhostConfig: nameValuePair (vhostName + "-alias") { + enableACME = !vhostConfig.httpOnly; + forceSSL = !vhostConfig.httpOnly; + rejectSSL = vhostConfig.httpOnly; + serverName = "${vhostName}.crans.fr"; + serverAliases = let + aliases = cartesianProduct { + name = vhostConfig.serverAliases; + domaine = domaines; + }; + in [ + "${vhostName}.crans.eu" + ] ++ map (value: value.name + "." + value.domaine) aliases; + globalRedirect = "${vhostName}.crans.org"; + } + ) cfg.virtualHosts; + anubisConfig = mapAttrs' ( + vhostName: vhostConfig: nameValuePair (vhostName + "-anubis") { + enableACME = !vhostConfig.httpOnly; + forceSSL = !vhostConfig.httpOnly; + rejectSSL = vhostConfig.httpOnly; + locations."/".proxyPass = "http://unix:/run/anubis/anubis-${vhostName}.sock"; + serverName = "${vhostName}.crans.org"; + } + ) cfg.virtualHosts; + in { + enable = true; + virtualHosts = redirectConfig // aliasConfig // anubisConfig; + }; + }; }; }