clan/machines/moritz-server/reverse-proxy.nix

{config, ...}: {
  services.fail2ban = {
    enable = true;
    bantime-increment.enable = true;
    jails = let
      nginx_error_log = "/var/log/nginx/access.log";
    in {
      nginx-botsearch.settings = {
        enabled = true;
        port = "http,https";
        filter = "nginx-botsearch";
        backend = "auto";
        logpath = nginx_error_log;
      };
      nginx-forbidden.settings = {
        enabled = true;
        port = "http,https";
        filter = "nginx-forbidden";
        backend = "auto";
        logpath = nginx_error_log;
      };
      nginx-http-auth.settings = {
        enabled = true;
        port = "http,https";
        filter = "nginx-http-auth";
        backend = "auto";
        logpath = nginx_error_log;
      };
      nginx-4xx.settings = {
        enabled = true;
        port = "http,https";
        filter = "nginx-4xx";
        backend = "auto";
        logpath = nginx_error_log;
      };
    };
    ignoreIP = [
      "192.168.0.0/24"
    ];
  };
  environment.etc = {
    "fail2ban/filter.d/nginx-4xx.conf".text = ''
      [Definition]
      failregex = ^<HOST>.*"(GET|POST).*" (404|444|403|400) .*$

      ignoreregex = .*(robots.txt|favicon.ico|jpg|png)

      journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx
    '';
  };

  networking.firewall.allowedTCPPorts = [80 1443 443];
  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    virtualHosts = {
      "moritzboeh.me" = {
        serverAliases = ["*.moritzboeh.me"];
        locations."/" = {
          proxyPass = "http://192.168.0.6";
        };
      };
      "moritz.foo" = {
        forceSSL = true;
        useACMEHost = "moritz.foo";
        locations."/" = {
          return = "301 https://www.moritz.foo";
        };
      };
      "www.moritz.foo" = {
        forceSSL = true;
        useACMEHost = "any.moritz.foo";
        locations."/" = {
          extraConfig = ''
            add_header Content-Type text/html;
          '';
          return = "200 '<html><body>Hello World</body></html>'";
        };
      };
    };
    streamConfig = ''
      upstream diskstation {
          server 192.168.0.6:443;
      }

      upstream self {
          server 127.0.0.1:443;
      }

      map $ssl_preread_server_name $name {
          hostnames;
          .moritz.foo self;
          .moritzboeh.me diskstation;
      }

      server {
          listen 1443;
          ssl_preread on;
          proxy_pass $name;
      }
    '';
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = "acme@moritzboeh.me";
    defaults.dnsResolver = "1.1.1.1:53";
    certs."moritz.foo" = {
      dnsProvider = "cloudflare";
      group = "nginx";
      environmentFile = config.clan.core.vars.generators.acme.files.vars.path;
    };
    certs."any.moritz.foo" = {
      domain = "*.moritz.foo";
      dnsProvider = "cloudflare";
      group = "nginx";
      environmentFile = config.clan.core.vars.generators.acme.files.vars.path;
    };
  };
  clan.core.vars.generators.acme.prompts.vars = {
    persist = true;
    type = "multiline";
  };
}