crans
/
nixos
mirror of https://gitlab.crans.org/nounous/nixos
19
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nixos/hosts/vm/reverseproxy/reverseproxy.nix

207 lines
4.9 KiB
Nix
Raw Blame History

{ pkgs, ... }:
let
formatJSON = pkgs.formats.json { };
formatYAML = pkgs.formats.yaml { };
anubisBotsMirror = formatYAML.generate "anubis_bots_mirror.yaml" [
{
name = "whitelist-crans";
action = "ALLOW";
remote_addresses = [
"185.230.79.0/22"
"2a0c:700::/32"
"46.105.102.188/32"
"2001:41d0:2:d5bc::/128"
];
}
{
name = "no-user-agent";
action = "DENY";
expression = "userAgent == \"\"";
}
{
name = "ban-gpt";
action = "DENY";
user_agent_regex = ".*gpt.*";
}
{
name = "ban-bot";
action = "DENY";
user_agent_regex = ".*(b|B)ot.*";
}
{
name = "ban-WebKit";
action = "DENY";
expression = {
all = [
"userAgent.startsWith(\"Mozilla\")"
"userAgent.startsWith(\"AppleWebKit\")"
"userAgent.startsWith(\"Safari\")"
"userAgent.startsWith(\"Chrome\")"
];
};
}
{
name = "ban-Barkrowler";
action = "DENY";
user_agent_regex = ".*Barkrowler.*";
}
];
anubisMirror = formatJSON.generate "anubis_mirror.json" {
bots = [
{
import = "${anubisBotsMirror}";
}
{
name = "allow-repo";
action = "ALLOW";
path_regex = "^...*";
}
{
name = "deny-other";
path_regex = ".*";
action = "ALLOW";
}
];
};
antiBot = formatYAML.generate "antibot.yaml" [
{
import = "${anubisBotsMirror}";
}
{
# On refuse les bots qui font souvent de la merde.
# https://github.com/TecharoHQ/anubis/blob/main/data/bots/deny-pathological.yaml
import = "(data)/bots/_deny-pathological.yaml";
}
{
# On autorise les indexers des moteurs de recherche.
# https://github.com/TecharoHQ/anubis/blob/main/data/crawlers/_allow-good.yaml
import = "(data)/crawlers/_allow-good.yaml";
}
{
# On autorise l'accès à favicon, robots.txt, well-known, ...
# https://github.com/TecharoHQ/anubis/blob/main/data/common/keep-internet-working.yaml
import = "(data)/common/keep-internet-working.yaml";
}
{
# On refuse si userAgent = ""
# https://github.com/TecharoHQ/anubis/blob/main/data/common/keep-internet-working.yaml
import = "(data)/common/rfc-violations.yaml";
}
{
# On bloque les AI aggressivement (bots/agent, training et user search par IA)
# https://github.com/TecharoHQ/anubis/blob/main/data/meta/ai-block-aggressive.yaml
import = "(data)/meta/ai-block-aggressive.yaml";
}
];
anubisChallenge = formatJSON.generate "anubis_challenge.json" {
"bots" = [
{
import = "${antiBot}";
}
{
name = "challenge-other";
path_regex = "^*";
action = "CHALLENGE";
}
];
};
anubisMirrors = formatJSON.generate "anubis_mirrors.json" {
"bots" = [
{
import = "${antiBot}";
}
{
name = "deny-other";
path_regex = ".*cdimage-.*";
action = "ALLOW";
}
{
name = "allow-repo";
path_regex = "^...*";
action = "ALLOW";
}
{
name = "deny-other";
path_regex = ".*";
action = "CHALLENGE";
}
];
};
in
{
crans = {
reverseProxy = {
enable = true;
virtualHosts = {
"collabora" = {
target = "172.16.10.149";
proxyWebsockets = true;
};
"eclat" = {
anubisConfig = "${anubisMirror}";
httpOnly = true;
target = "172.16.10.104";
};
"eclats" = {
anubisConfig = "${anubisMirrors}";
target = "172.16.10.104";
};
"install-party" = {
anubisConfig = "${anubisChallenge}";
target = "/var/www/install-party.crans.org";
serverAliases = [
"i-p"
"adopteunmanchot"
"adopteunpingouin"
];
};
"lists" = {
anubisConfig = "${anubisChallenge}";
target = "172.16.10.110";
};
"mediawiki" = {
anubisConfig = "${anubisChallenge}";
target = "172.16.10.144";
serverAliases = [
"mediakiwi"
];
};
"mirrors" = {
anubisConfig = "${anubisMirrors}";
target = "172.16.10.104";
};
"mirror" = {
anubisConfig = "${anubisMirror}";
httpOnly = true;
target = "172.16.10.104";
};
"perso" = {
anubisConfig = "${anubisChallenge}";
target = "172.16.10.31";
serverAliases = [
"clubs"
];
};
"wiki" = {
anubisConfig = "${anubisChallenge}";
target = "[fd00::10:0:ff:fe01:6110]"; # l'ipv4 marche pas
serverAliases = [
"wikipedia"
];
};
};
};
services = {
acme.enable = true;
};
};
}
Reference in New Issue View Git Blame Copy Permalink