feat: add ddns

2025-05-14 12:33:46 +02:00 · 2025-05-14 12:33:46 +02:00 · 75256cef4f
commit 75256cef4f
parent 8cccf6a2b3
3 changed files with 127 additions and 40 deletions
--- a/machines/moritz-server/reverse-proxy.nix
+++ b/machines/moritz-server/reverse-proxy.nix
@ -0,0 +1,93 @@
+{
+  services.fail2ban = {
+    enable = true;
+    bantime-increment.enable = true;
+    jails = let
+      nginx_error_log = "/var/log/nginx/access.log";
+    in {
+      nginx-botsearch.settings = {
+        enabled = true;
+        port = "http,https";
+        filter = "nginx-botsearch";
+        backend = "auto";
+        logpath = nginx_error_log;
+      };
+      nginx-forbidden.settings = {
+        enabled = true;
+        port = "http,https";
+        filter = "nginx-forbidden";
+        backend = "auto";
+        logpath = nginx_error_log;
+      };
+      nginx-http-auth.settings = {
+        enabled = true;
+        port = "http,https";
+        filter = "nginx-http-auth";
+        backend = "auto";
+        logpath = nginx_error_log;
+      };
+      nginx-4xx.settings = {
+        enabled = true;
+        port = "http,https";
+        filter = "nginx-4xx";
+        backend = "auto";
+        logpath = nginx_error_log;
+      };
+    };
+    ignoreIP = [
+      "192.168.0.0/24"
+    ];
+  };
+  environment.etc = {
+    "fail2ban/filter.d/nginx-4xx.conf".text = ''
+      [Definition]
+      failregex = ^<HOST>.*"(GET|POST).*" (404|444|403|400) .*$
+
+      ignoreregex = .*(robots.txt|favicon.ico|jpg|png)
+
+      journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx
+    '';
+  };
+
+  networking.firewall.allowedTCPPorts = [80 443];
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    virtualHosts = {
+      "moritzboeh.me" = {
+        serverAliases = ["*.moritzboeh.me"];
+        locations."/" = {
+          proxyPass = "http://192.168.0.6";
+        };
+      };
+      "moritz.foo" = {
+        locations."/" = {
+          return = "200 'Hello World!'";
+        };
+      };
+    };
+    streamConfig = ''
+      upstream diskstation {
+          server 192.168.0.6:443;
+      }
+
+      upstream self {
+          server 127.0.0.1:443;
+      }
+
+      map $ssl_preread_server_name $name {
+          *.moritz.foo self;
+          moritz.foo self;
+          *.moritzboeh.me diskstation;
+          moritzboeh.me diskstation;
+          default diskstation;
+      }
+
+      server {
+          listen 443;
+          ssl_preread on;
+          proxy_pass $name;
+      }
+    '';
+  };
+}