{ pkgs, ... }: let formatJSON = pkgs.formats.json { }; formatYAML = pkgs.formats.yaml { }; anubisBotsMirror = formatYAML.generate "anubis_bots_mirror.yaml" [ { name = "whitelist-crans"; action = "ALLOW"; remote_addresses = [ "185.230.79.0/22" "2a0c:700::/32" "46.105.102.188/32" "2001:41d0:2:d5bc::/128" ]; } { name = "no-user-agent"; action = "DENY"; expression = "userAgent == \"\""; } { name = "ban-gpt"; action = "DENY"; user_agent_regex = ".*gpt.*"; } { name = "ban-bot"; action = "DENY"; user_agent_regex = ".*(b|B)ot.*"; } { name = "ban-WebKit"; action = "DENY"; expression = { all = [ "userAgent.startsWith(\"Mozilla\")" "userAgent.startsWith(\"AppleWebKit\")" "userAgent.startsWith(\"Safari\")" "userAgent.startsWith(\"Chrome\")" ]; }; } { name = "ban-Barkrowler"; action = "DENY"; user_agent_regex = ".*Barkrowler.*"; } ]; anubisMirror = formatJSON.generate "anubis_mirror.json" { bots = [ { import = "${anubisBotsMirror}"; } { name = "allow-repo"; action = "ALLOW"; path_regex = "^...*"; } { name = "deny-other"; path_regex = ".*"; action = "ALLOW"; } ]; }; antiBot = formatYAML.generate "antibot.yaml" [ { import = "${anubisBotsMirror}"; } { # On refuse les bots qui font souvent de la merde. # https://github.com/TecharoHQ/anubis/blob/main/data/bots/deny-pathological.yaml import = "(data)/bots/_deny-pathological.yaml"; } { # On autorise les indexers des moteurs de recherche. # https://github.com/TecharoHQ/anubis/blob/main/data/crawlers/_allow-good.yaml import = "(data)/crawlers/_allow-good.yaml"; } { # On autorise l'accès à favicon, robots.txt, well-known, ... # https://github.com/TecharoHQ/anubis/blob/main/data/common/keep-internet-working.yaml import = "(data)/common/keep-internet-working.yaml"; } { # On refuse si userAgent = "" # https://github.com/TecharoHQ/anubis/blob/main/data/common/keep-internet-working.yaml import = "(data)/common/rfc-violations.yaml"; } { # On bloque les AI aggressivement (bots/agent, training et user search par IA) # https://github.com/TecharoHQ/anubis/blob/main/data/meta/ai-block-aggressive.yaml import = "(data)/meta/ai-block-aggressive.yaml"; } ]; anubisChallenge = formatJSON.generate "anubis_challenge.json" { "bots" = [ { import = "${antiBot}"; } { name = "challenge-other"; path_regex = "^*"; action = "CHALLENGE"; } ]; }; anubisMirrors = formatJSON.generate "anubis_mirrors.json" { "bots" = [ { import = "${antiBot}"; } { name = "deny-other"; path_regex = ".*cdimage-.*"; action = "ALLOW"; } { name = "allow-repo"; path_regex = "^...*"; action = "ALLOW"; } { name = "deny-other"; path_regex = ".*"; action = "CHALLENGE"; } ]; }; in { crans = { reverseProxy = { enable = true; virtualHosts = { "collabora" = { target = "172.16.10.149"; proxyWebsockets = true; }; "eclat" = { anubisConfig = "${anubisMirror}"; httpOnly = true; target = "172.16.10.104"; }; "eclats" = { anubisConfig = "${anubisMirrors}"; target = "172.16.10.104"; }; "install-party" = { anubisConfig = "${anubisChallenge}"; target = "/var/www/install-party.crans.org"; serverAliases = [ "i-p" "adopteunmanchot" "adopteunpingouin" ]; }; "lists" = { anubisConfig = "${anubisChallenge}"; target = "172.16.10.110"; }; "mediawiki" = { anubisConfig = "${anubisChallenge}"; target = "172.16.10.144"; serverAliases = [ "mediakiwi" ]; }; "mirrors" = { anubisConfig = "${anubisMirrors}"; target = "172.16.10.104"; }; "mirror" = { anubisConfig = "${anubisMirror}"; httpOnly = true; target = "172.16.10.104"; }; "perso" = { anubisConfig = "${anubisChallenge}"; target = "172.16.10.31"; serverAliases = [ "clubs" ]; }; "wiki" = { anubisConfig = "${anubisChallenge}"; target = "[fd00::10:0:ff:fe01:6110]"; # l'ipv4 marche pas serverAliases = [ "wikipedia" ]; }; }; }; services = { acme.enable = true; }; }; }