From c26057cb9745b8d1e81a7e4fbbdee9287d3a5e43 Mon Sep 17 00:00:00 2001 From: Aleksandr Lebedev Date: Sat, 27 Sep 2025 00:30:33 +0200 Subject: [PATCH] nginx instead of caddy for stargate + fail2ban --- .../x86_64-linux/stargate/services/caddy.nix | 57 ------------- .../stargate/services/fail2ban.nix | 48 +++++++++++ .../stargate/services/nextcloud.nix | 2 +- .../x86_64-linux/stargate/services/nginx.nix | 81 +++++++++++++++++++ 4 files changed, 130 insertions(+), 58 deletions(-) delete mode 100644 systems/x86_64-linux/stargate/services/caddy.nix create mode 100644 systems/x86_64-linux/stargate/services/fail2ban.nix create mode 100644 systems/x86_64-linux/stargate/services/nginx.nix diff --git a/systems/x86_64-linux/stargate/services/caddy.nix b/systems/x86_64-linux/stargate/services/caddy.nix deleted file mode 100644 index 6e00674..0000000 --- a/systems/x86_64-linux/stargate/services/caddy.nix +++ /dev/null @@ -1,57 +0,0 @@ -{ - lib, - pkgs, - inputs, - namespace, - system, - target, - format, - virtual, - systems, - config, - ... -}: -with lib; -with lib.custom; { - services.caddy = { - enable = true; - #virtualHosts."kylekrein.com:8448".extraConfig = '' - # reverse_proxy http://localhost:6167 - #''; - virtualHosts."kylekrein.com".extraConfig = config.services.caddy.virtualHosts."matrix.kylekrein.com".extraConfig; - # reverse_proxy /.well-known/* http://localhost:6167 - #''; - virtualHosts."matrix.kylekrein.com".extraConfig = '' - handle_path /.well-known/matrix/* { - - header Access-Control-Allow-Origin * - - ## `Content-Type: application/json` isn't required by the matrix spec - ## but some browsers (firefox) and some other tooling might preview json - ## content prettier when they are made aware via Content-Type - header Content-Type application/json - - respond /client `{ "m.homeserver": { "base_url": "https://matrix.kylekrein.com/" }, "org.matrix.msc3575.proxy": { "url": "https://matrix.kylekrein.com/"}, "org.matrix.msc4143.rtc_foci": [ { "type": "livekit", "livekit_service_url": "https://livekit-jwt.call.matrix.org" } ] }` - - respond /server `{ "m.server": "matrix.kylekrein.com:443" }` - - ## return http/404 if nothing matches - respond 404 - } - respond /.well-known/element/element.json `{"call":{"widget_url":"https://call.element.io"}}` - reverse_proxy * http://localhost:6167 - ''; - virtualHosts."gitlab.kylekrein.com".extraConfig = '' - reverse_proxy * unix//run/gitlab/gitlab-workhorse.socket - ''; - virtualHosts."immich.kylekrein.com".extraConfig = '' - reverse_proxy * http://[::1]:${toString config.services.immich.port} - ''; - virtualHosts."nextcloud.kylekrein.com".extraConfig = '' - reverse_proxy * http://nextcloud.localhost" - ''; - virtualHosts."ntfy.kylekrein.com".extraConfig = '' - reverse_proxy * http://[::1]${config.services.ntfy-sh.settings.listen-http} - ''; - }; -} diff --git a/systems/x86_64-linux/stargate/services/fail2ban.nix b/systems/x86_64-linux/stargate/services/fail2ban.nix new file mode 100644 index 0000000..e841fef --- /dev/null +++ b/systems/x86_64-linux/stargate/services/fail2ban.nix @@ -0,0 +1,48 @@ +{ + lib, + pkgs, + ... +}: { + environment.etc = { + # Define an action that will trigger a Ntfy push notification upon the issue of every new ban + "fail2ban/action.d/ntfy.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter '' + [Definition] + norestored = true # Needed to avoid receiving a new notification after every restart + actionban = curl -H "Title: has been banned" -d " jail has banned from accessing $(hostname) after attempts of hacking the system." https://ntfy.kylekrein.com/Fail2banNotifications + ''); + # Defines a filter that detects URL probing by reading the Nginx access log + "fail2ban/filter.d/nginx-url-probe.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter '' + [Definition] + failregex = ^.*(GET /(wp-|admin|boaform|phpmyadmin|\.env|\.git)|\.(dll|so|cfm|asp)|(\?|&)(=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000|=PHPE9568F36-D428-11d2-A769-00AA001ACF42|=PHPE9568F35-D428-11d2-A769-00AA001ACF42|=PHPE9568F34-D428-11d2-A769-00AA001ACF42)|\\x[0-9a-zA-Z]{2}) + ''); + }; + services.fail2ban = { + enable = true; + # Ban IP after 5 failures + maxretry = 5; + ignoreIP = [ + # Whitelist some subnets + "192.168.178.0/24" + ]; + bantime = "24h"; # Ban IPs for one day on the first ban + bantime-increment = { + enable = true; # Enable increment of bantime after each violation + #formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)"; + multipliers = "1 2 4 8 16 32 64"; + maxtime = "1680h"; # Do not ban for more than 10 weeks + overalljails = true; # Calculate the bantime based on all the violations + }; + jails = { + nginx-url-probe.settings = { + enabled = true; + filter = "nginx-url-probe"; + logpath = "/var/log/nginx/access.log"; + action = '' %(action_)s[blocktype=DROP] + ntfy''; + backend = "auto"; # Do not forget to specify this if your jail uses a log file + maxretry = 5; + findtime = 600; + }; + }; + }; +} diff --git a/systems/x86_64-linux/stargate/services/nextcloud.nix b/systems/x86_64-linux/stargate/services/nextcloud.nix index 2a0f807..2e1e4d4 100644 --- a/systems/x86_64-linux/stargate/services/nextcloud.nix +++ b/systems/x86_64-linux/stargate/services/nextcloud.nix @@ -21,6 +21,6 @@ with lib.custom; { dbtype = "pgsql"; adminpassFile = config.sops.secrets."services/nextcloud".path; }; - hostName = "nextcloud.localhost"; + hostName = "nextcloud.kylekrein.com"; }; } diff --git a/systems/x86_64-linux/stargate/services/nginx.nix b/systems/x86_64-linux/stargate/services/nginx.nix new file mode 100644 index 0000000..347859e --- /dev/null +++ b/systems/x86_64-linux/stargate/services/nginx.nix @@ -0,0 +1,81 @@ +{ + lib, + pkgs, + config, + ... +}: let + matrixLocations = { + "~ ^/\\.well-known/matrix/client$" = { + extraConfig = '' + add_header Access-Control-Allow-Origin *; + add_header Content-Type application/json; + return 200 '{"m.homeserver": { "base_url": "https://matrix.kylekrein.com/" }, "org.matrix.msc3575.proxy": { "url": "https://matrix.kylekrein.com/"}, "org.matrix.msc4143.rtc_foci": [ { "type": "livekit", "livekit_service_url": "https://livekit-jwt.call.matrix.org" } ] }'; + ''; + }; + "~ ^/\\.well-known/matrix/server$" = { + extraConfig = '' + add_header Content-Type application/json; + return 200 '{"m.server": "matrix.kylekrein.com:443"}'; + ''; + }; + "~ ^/\\.well-known/element/element.json$" = { + extraConfig = '' + add_header Content-Type application/json; + return 200 '{"call":{"widget_url":"https://call.element.io"}}'; + ''; + }; + "/" = { + proxyPass = "http://127.0.0.1:6167"; + }; + }; +in { + services.nginx = { + enable = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + recommendedGzipSettings = true; + + virtualHosts = { + # "kylekrein.com" = { + # enableACME = true; + # forceSSL = true; + #locations = config.services.nginx.virtualHosts."matrix.kylekrein.com".locations; + #}; + + #"matrix.kylekrein.com" = { + # enableACME = true; + # forceSSL = true; + # locations = matrixLocations; + #}; + + #"gitlab.kylekrein.com" = { + # enableACME = true; + # forceSSL = true; + # locations."/" = { + # proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket"; + # }; + #}; + + "immich.kylekrein.com" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://[::1]:${toString config.services.immich.port}"; + }; + }; + + "ntfy.kylekrein.com" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://[::1]${config.services.ntfy-sh.settings.listen-http}"; + }; + }; + }; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "alex.lebedev2003@icloud.com"; + }; +}