blob: ce86e81e8a67f173e61002162ae348d567ba1009 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
# This module sets up an NGINX on this host.
#
# Different services' will register themselves with NGINX via
# `services.nginx.virtualHosts`. They may also want to order themselves before
# NGINX `systemd.services.*.{before,wantedBy}`.
{config, ...}: {
# Virtual hosts.
services.nginx.enable = true;
# Configure ACME. This is used by various HTTP services through the NGINX virtual hosts.
security.acme = {
acceptTerms = true;
# NOTE: The certificate in `local-dns/certficates.nix` uses a different email!
defaults.email = "linusvejlo+${config.networking.hostName}[email protected]";
};
# Allow HTTP connections.
networking.firewall.allowedTCPPorts = [80 443];
services.fail2ban = {
enable = true;
jails = {
"nginx-http-auth".settings = {
enabled = true;
port = "http,https";
filter = "nginx-http-auth";
logpath = "%(nginx_error_log)s";
};
"nginx-botsearch".settings = {
enabled = true;
port = "http,https";
filter = "nginx-botsearch";
logpath = "%(nginx_access_log)s";
};
"nginx-forbidden".settings = {
enabled = true;
port = "http,https";
filter = "nginx-forbidden";
logpath = "%(nginx_error_log)s";
};
"nginx-sslerror".settings = {
enabled = true;
port = "http,https";
filter = "nginx-bad-request";
logpath = "%(nginx_error_log)s";
};
};
};
}
|
