{ services.fail2ban = { enable = true; bantime-increment.enable = true; jails = let nginx_error_log = "/var/log/nginx/access.log"; in { nginx-botsearch.settings = { enabled = true; port = "http,https"; filter = "nginx-botsearch"; backend = "auto"; logpath = nginx_error_log; }; nginx-forbidden.settings = { enabled = true; port = "http,https"; filter = "nginx-forbidden"; backend = "auto"; logpath = nginx_error_log; }; nginx-http-auth.settings = { enabled = true; port = "http,https"; filter = "nginx-http-auth"; backend = "auto"; logpath = nginx_error_log; }; nginx-4xx.settings = { enabled = true; port = "http,https"; filter = "nginx-4xx"; backend = "auto"; logpath = nginx_error_log; }; }; ignoreIP = [ "192.168.0.0/24" ]; }; environment.etc = { "fail2ban/filter.d/nginx-4xx.conf".text = '' [Definition] failregex = ^.*"(GET|POST).*" (404|444|403|400) .*$ ignoreregex = .*(robots.txt|favicon.ico|jpg|png) journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx ''; }; networking.firewall.allowedTCPPorts = [80 443]; services.nginx = { enable = true; recommendedProxySettings = true; virtualHosts = { "moritzboeh.me" = { serverAliases = ["*.moritzboeh.me"]; locations."/" = { proxyPass = "http://192.168.0.6"; }; }; "moritz.foo" = { locations."/" = { return = "200 'Hello World!'"; }; }; }; streamConfig = '' upstream diskstation { server 192.168.0.6:443; } upstream self { server 127.0.0.1:443; } map $ssl_preread_server_name $name { *.moritz.foo self; moritz.foo self; *.moritzboeh.me diskstation; moritzboeh.me diskstation; default diskstation; } server { listen 443; ssl_preread on; proxy_pass $name; } ''; }; }