moritz/clan
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
clan/machines/moritz-server/reverse-proxy.nix
Moritz Böhme 75256cef4f
feat: add ddns
2025-05-14 12:33:46 +02:00

93 lines
2.1 KiB
Nix
Raw Blame History

{
services.fail2ban = {
enable = true;
bantime-increment.enable = true;
jails = let
nginx_error_log = "/var/log/nginx/access.log";
in {
nginx-botsearch.settings = {
enabled = true;
port = "http,https";
filter = "nginx-botsearch";
backend = "auto";
logpath = nginx_error_log;
};
nginx-forbidden.settings = {
enabled = true;
port = "http,https";
filter = "nginx-forbidden";
backend = "auto";
logpath = nginx_error_log;
};
nginx-http-auth.settings = {
enabled = true;
port = "http,https";
filter = "nginx-http-auth";
backend = "auto";
logpath = nginx_error_log;
};
nginx-4xx.settings = {
enabled = true;
port = "http,https";
filter = "nginx-4xx";
backend = "auto";
logpath = nginx_error_log;
};
};
ignoreIP = [
"192.168.0.0/24"
];
};
environment.etc = {
"fail2ban/filter.d/nginx-4xx.conf".text = ''
[Definition]
failregex = ^<HOST>.*"(GET|POST).*" (404|444|403|400) .*$
ignoreregex = .*(robots.txt|favicon.ico|jpg|png)
journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx
'';
};
networking.firewall.allowedTCPPorts = [80 443];
services.nginx = {
enable = true;
recommendedProxySettings = true;
virtualHosts = {
"moritzboeh.me" = {
serverAliases = ["*.moritzboeh.me"];
locations."/" = {
proxyPass = "http://192.168.0.6";
};
};
"moritz.foo" = {
locations."/" = {
return = "200 'Hello World!'";
};
};
};
streamConfig = ''
upstream diskstation {
server 192.168.0.6:443;
}
upstream self {
server 127.0.0.1:443;
}
map $ssl_preread_server_name $name {
*.moritz.foo self;
moritz.foo self;
*.moritzboeh.me diskstation;
moritzboeh.me diskstation;
default diskstation;
}
server {
listen 443;
ssl_preread on;
proxy_pass $name;
}
'';
};
}
Reference in a new issue View git blame Copy permalink