nginx instead of caddy for stargate + fail2ban

2025-09-27 00:30:33 +02:00 · 2025-09-27 00:30:33 +02:00 · c26057cb97
commit c26057cb97
parent 6e84bda08f
4 changed files with 130 additions and 58 deletions
--- a/systems/x86_64-linux/stargate/services/caddy.nix
+++ b/systems/x86_64-linux/stargate/services/caddy.nix
@ -1,57 +0,0 @@
-{
-  lib,
-  pkgs,
-  inputs,
-  namespace,
-  system,
-  target,
-  format,
-  virtual,
-  systems,
-  config,
-  ...
-}:
-with lib;
-with lib.custom; {
-  services.caddy = {
-    enable = true;
-    #virtualHosts."kylekrein.com:8448".extraConfig = ''
-    #  reverse_proxy http://localhost:6167
-    #'';
-    virtualHosts."kylekrein.com".extraConfig = config.services.caddy.virtualHosts."matrix.kylekrein.com".extraConfig;
-    #  reverse_proxy /.well-known/* http://localhost:6167
-    #'';
-    virtualHosts."matrix.kylekrein.com".extraConfig = ''
-      handle_path /.well-known/matrix/* {
-
-          header Access-Control-Allow-Origin *
-
-          ## `Content-Type: application/json` isn't required by the matrix spec
-          ## but some browsers (firefox) and some other tooling might preview json
-          ## content prettier when they are made aware via Content-Type
-          header Content-Type application/json
-
-          respond /client `{ "m.homeserver": { "base_url": "https://matrix.kylekrein.com/" }, "org.matrix.msc3575.proxy": { "url": "https://matrix.kylekrein.com/"}, "org.matrix.msc4143.rtc_foci": [ { "type": "livekit", "livekit_service_url": "https://livekit-jwt.call.matrix.org" } ] }`
-
-          respond /server `{ "m.server": "matrix.kylekrein.com:443" }`
-
-          ## return http/404 if nothing matches
-          respond 404
-      }
-      respond /.well-known/element/element.json `{"call":{"widget_url":"https://call.element.io"}}`
-          reverse_proxy * http://localhost:6167
-    '';
-    virtualHosts."gitlab.kylekrein.com".extraConfig = ''
-      reverse_proxy * unix//run/gitlab/gitlab-workhorse.socket
-    '';
-    virtualHosts."immich.kylekrein.com".extraConfig = ''
-      reverse_proxy * http://[::1]:${toString config.services.immich.port}
-    '';
-    virtualHosts."nextcloud.kylekrein.com".extraConfig = ''
-      reverse_proxy * http://nextcloud.localhost"
-    '';
-    virtualHosts."ntfy.kylekrein.com".extraConfig = ''
-      reverse_proxy * http://[::1]${config.services.ntfy-sh.settings.listen-http}
-    '';
-  };
-}
--- a/systems/x86_64-linux/stargate/services/fail2ban.nix
+++ b/systems/x86_64-linux/stargate/services/fail2ban.nix
@ -0,0 +1,48 @@
+{
+  lib,
+  pkgs,
+  ...
+}: {
+  environment.etc = {
+    # Define an action that will trigger a Ntfy push notification upon the issue of every new ban
+    "fail2ban/action.d/ntfy.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
+      [Definition]
+      norestored = true # Needed to avoid receiving a new notification after every restart
+      actionban = curl -H "Title: <ip> has been banned" -d "<name> jail has banned <ip> from accessing $(hostname) after <failures> attempts of hacking the system." https://ntfy.kylekrein.com/Fail2banNotifications
+    '');
+    # Defines a filter that detects URL probing by reading the Nginx access log
+    "fail2ban/filter.d/nginx-url-probe.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
+      [Definition]
+      failregex = ^<HOST>.*(GET /(wp-|admin|boaform|phpmyadmin|\.env|\.git)|\.(dll|so|cfm|asp)|(\?|&)(=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000|=PHPE9568F36-D428-11d2-A769-00AA001ACF42|=PHPE9568F35-D428-11d2-A769-00AA001ACF42|=PHPE9568F34-D428-11d2-A769-00AA001ACF42)|\\x[0-9a-zA-Z]{2})
+    '');
+  };
+  services.fail2ban = {
+    enable = true;
+    # Ban IP after 5 failures
+    maxretry = 5;
+    ignoreIP = [
+      # Whitelist some subnets
+      "192.168.178.0/24"
+    ];
+    bantime = "24h"; # Ban IPs for one day on the first ban
+    bantime-increment = {
+      enable = true; # Enable increment of bantime after each violation
+      #formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
+      multipliers = "1 2 4 8 16 32 64";
+      maxtime = "1680h"; # Do not ban for more than 10 weeks
+      overalljails = true; # Calculate the bantime based on all the violations
+    };
+    jails = {
+      nginx-url-probe.settings = {
+        enabled = true;
+        filter = "nginx-url-probe";
+        logpath = "/var/log/nginx/access.log";
+        action = ''          %(action_)s[blocktype=DROP]
+                           ntfy'';
+        backend = "auto"; # Do not forget to specify this if your jail uses a log file
+        maxretry = 5;
+        findtime = 600;
+      };
+    };
+  };
+}
--- a/systems/x86_64-linux/stargate/services/nextcloud.nix
+++ b/systems/x86_64-linux/stargate/services/nextcloud.nix
@ -21,6 +21,6 @@ with lib.custom; {
      dbtype = "pgsql";
      adminpassFile = config.sops.secrets."services/nextcloud".path;
    };
-    hostName = "nextcloud.localhost";
+    hostName = "nextcloud.kylekrein.com";
  };
 }
--- a/systems/x86_64-linux/stargate/services/nginx.nix
+++ b/systems/x86_64-linux/stargate/services/nginx.nix
@ -0,0 +1,81 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}: let
+  matrixLocations = {
+    "~ ^/\\.well-known/matrix/client$" = {
+      extraConfig = ''
+        add_header Access-Control-Allow-Origin *;
+        add_header Content-Type application/json;
+        return 200 '{"m.homeserver": { "base_url": "https://matrix.kylekrein.com/" }, "org.matrix.msc3575.proxy": { "url": "https://matrix.kylekrein.com/"}, "org.matrix.msc4143.rtc_foci": [ { "type": "livekit", "livekit_service_url": "https://livekit-jwt.call.matrix.org" } ] }';
+      '';
+    };
+    "~ ^/\\.well-known/matrix/server$" = {
+      extraConfig = ''
+        add_header Content-Type application/json;
+        return 200 '{"m.server": "matrix.kylekrein.com:443"}';
+      '';
+    };
+    "~ ^/\\.well-known/element/element.json$" = {
+      extraConfig = ''
+        add_header Content-Type application/json;
+        return 200 '{"call":{"widget_url":"https://call.element.io"}}';
+      '';
+    };
+    "/" = {
+      proxyPass = "http://127.0.0.1:6167";
+    };
+  };
+in {
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    recommendedGzipSettings = true;
+
+    virtualHosts = {
+      # "kylekrein.com" = {
+      #  enableACME = true;
+      # forceSSL = true;
+      #locations = config.services.nginx.virtualHosts."matrix.kylekrein.com".locations;
+      #};
+
+      #"matrix.kylekrein.com" = {
+      #  enableACME = true;
+      #  forceSSL = true;
+      #  locations = matrixLocations;
+      #};
+
+      #"gitlab.kylekrein.com" = {
+      #  enableACME = true;
+      #  forceSSL = true;
+      #  locations."/" = {
+      #    proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
+      #  };
+      #};
+
+      "immich.kylekrein.com" = {
+        enableACME = true;
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://[::1]:${toString config.services.immich.port}";
+        };
+      };
+
+      "ntfy.kylekrein.com" = {
+        enableACME = true;
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://[::1]${config.services.ntfy-sh.settings.listen-http}";
+        };
+      };
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "alex.lebedev2003@icloud.com";
+  };
+}