{ pkgs, ... }: let anubisBotsMirror = pkgs.writeText "anubis_bots_mirror.yaml" '' - name: whitelist-crans action: ALLOW remote_addresses: - 185.230.79.0/22 - 2a0c:700::/32 - 46.105.102.188/32 - 2001:41d0:2:d5bc::/128 - name: no-user-agent-string action: DENY expression: userAgent == "" - name: ban-gpt user_agent_regex: ".*gpt.*" action: DENY - name: ban-bot user_agent_regex: ".*(b|B)ot.*" action: DENY - name: ban-WebKit action: DENY expression: all: - userAgent.startsWith("Mozilla") - userAgent.matches("AppleWebKit") - userAgent.matches("Safari") - userAgent.matches("Chrome") - name: ban-Barkrowler user_agent_regex: ".*Barkrowler.*" action: DENY ''; anubisMirror = pkgs.writeText "anubis_mirror.json" '' { "bots": [ { "import": "${anubisBotsMirror}" }, { "name": "allow-repo", "path_regex": "^...*", "action": "ALLOW" }, { "name": "deny-other", "path_regex": ".*", "action": "ALLOW" } ] } ''; antibot = pkgs.writeText "antibot.yaml" '' - name: whitelist-crans action: ALLOW remote_addresses: - 185.230.79.0/22 - 2a0c:700::/32 - 46.105.102.188/32 - 2001:41d0:2:d5bc::/128 - name: no-user-agent-string action: DENY expression: userAgent == "" - name: ban-gpt user_agent_regex: ".*gpt.*" action: DENY - name: ban-bot user_agent_regex: ".*(b|B)ot.*" action: DENY - name: ban-WebKit action: CHALLENGE expression: all: - userAgent.startsWith("Mozilla") - userAgent.matches("AppleWebKit") - userAgent.matches("Safari") - userAgent.matches("Chrome") - name: ban-Barkrowler user_agent_regex: ".*Barkrowler.*" action: DENY ''; anubisChallenge = pkgs.writeText "anubis_challenge.json" '' { "bots": [ { "import": "${antibot}" }, { "name": "challenge-other", "path_regex": "^*", "action": "CHALLENGE" } ] } ''; anubisMirrors = pkgs.writeText "anubis_mirrors.json" '' { "bots": [ { "import": "${antibot}" }, { "name": "deny-other", "path_regex": ".*cdimage-.*", "action": "ALLOW" }, { "name": "allow-repo", "path_regex": "^...*", "action": "ALLOW" }, { "name": "deny-other", "path_regex": ".*", "action": "CHALLENGE" } ] } ''; in { imports = [ ./hardware-configuration.nix ]; networking.hostName = "reverseproxy"; boot.loader.grub.devices = [ "/dev/sda" ]; users.users."nginx".home = "/var/lib/nginx"; users.users."anubis".extraGroups = [ "nginx" ]; crans = { enable = true; networking = { id = "51"; srvNat.enable = true; srv = { enable = true; interface = "ens20"; ipv4 = "185.230.79.42"; }; }; resticClient.when = "03:42"; reverseProxy = { enable = true; virtualHosts = { "eclats" = { anubisConfig = "${anubisMirrors}"; target = "172.16.10.104"; }; "install-party" = { anubisConfig = "${anubisChallenge}"; target = "/var/www/install-party.crans.org"; serverAliases = [ "i-p" "adopteunmanchot" "adopteunpingouin" ]; }; "mediawiki" = { anubisConfig = "${anubisChallenge}"; target = "172.16.10.144"; serverAliases = [ "mediakiwi" ]; }; "mirrors" = { anubisConfig = "${anubisMirrors}"; target = "172.16.10.104"; }; "mirror" = { anubisConfig = "${anubisMirror}"; httpOnly = true; target = "172.16.10.104"; }; "perso" = { anubisConfig = "${anubisChallenge}"; target = "172.16.10.31"; serverAliases = [ "clubs" ]; }; "wiki" = { anubisConfig = "${anubisChallenge}"; target = "172.16.10.161"; serverAliases = [ "wikipedia" ]; }; }; }; services = { acme.enable = true; }; }; system.stateVersion = "25.05"; }