kp2pml30/dotfiles
1
0
Fork 0
mirror of https://github.com/kp2pml30/dotfiles.git synced 2026-02-16 23:34:42 +04:00
Code Issues Projects Releases Packages Wiki Activity Actions

server enhancements

Browse source
This commit is contained in:
kp2pml30 2025-01-27 01:16:41 +04:00
parent 95f65d9c03
commit a5dfa8c3f8
7 changed files with 69 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

1
flake.nix
View file

@ -37,6 +37,7 @@
kp2pml30.server = {
hostname = "kp2pml30.moe";
nginx = true;
};
}

2
nix/hardware/server.nix
View file

@ -35,8 +35,6 @@
boot = {
loader.grub = {
enable = true;
#efiSupport = true;
#efiInstallAsRemovable = true;
devices = [ "/dev/vda" ];
};
};

5
nix/server/default.nix
View file

@ -17,12 +17,17 @@ in {
};
nginx = lib.mkEnableOption "";
sitePath = lib.mkOption {
type = lib.types.str;
};
};
imports = [
./ssh.nix
./nginx.nix
./boot.nix
./site.nix
];
config = {

19
nix/server/nginx.nix
View file

@ -5,13 +5,16 @@
}:
let
cfg = config.kp2pml30.server;
acmeRoot = "/var/lib/acme/acme-challenge";
in lib.mkIf cfg.nginx {
security.acme = {
acceptTerms = true;
maxConcurrentRenewals = 1;
defaults.email = "kp2pml30@gmail.com";
#defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
certs."${cfg.hostname}" = {
serverAliases = [ "*.${cfg.hostname}" ];
webroot = "/var/lib/acme/.challenges";
extraDomainNames = [ "pr.${cfg.hostname}" "www.${cfg.hostname}" ];
webroot = acmeRoot;
group = "nginx";
};
};
@ -21,15 +24,17 @@ in lib.mkIf cfg.nginx {
virtualHosts."${cfg.hostname}" = {
addSSL = true;
# forceSSL = true;
enableACME = true;
acmeRoot = acmeRoot;
listen = [
{ port = 80; }
{ addr = "0.0.0.0"; port = 80; }
{ addr = "0.0.0.0"; port = 444; ssl = true; }
];
locations."/.well-known/acme-challenge/" = {
root = "/var/lib/acme/.challenges";
};
locations."/" = {
return = 404;
root = cfg.sitePath;
};
};

16
nix/server/site.nix Normal file
View file

@ -0,0 +1,16 @@
{ config
, pkgs
, lib
, ...
}@args:
let
cfg = config.kp2pml30.server;
src = builtins.fetchGit {
url = "https://github.com/kp2pml30/kp2pml30.github.io.git";
rev = "0a887a1cd439c93efbe7d46c158102387b6fc470";
};
pack = (import "${src}/release.nix" args);
in lib.mkIf cfg.nginx {
environment.systemPackages = [ pack ];
kp2pml30.server.sitePath = pack.outPath;
}

10
nix/server/ssh.nix
View file

@ -17,4 +17,14 @@ in {
AllowUsers = [ cfg.username ];
};
};
services.fail2ban = {
enable = true;
maxretry = 5;
bantime = "168h";
bantime-increment = {
enable = true;
formula = "ban.Time * ban.Time";
};
};
}

31
nix/server/stream.nginx
View file

@ -77,10 +77,29 @@ upstream deny {
server 127.0.0.1:9;
}
server {
listen 443;
proxy_pass $name;
ssl_preread on;
error_log /dev/null;
access_log off;
upstream self {
server 127.0.0.1:80;
}
server {
listen 443 ssl;
server_name pr.kp2pml30.moe;
proxy_pass $name;
ssl_preread on;
ssl_certificate /var/lib/acme/kp2pml30.moe/fullchain.pem;
ssl_certificate_key /var/lib/acme/kp2pml30.moe/key.pem;
ssl_trusted_certificate /var/lib/acme/kp2pml30.moe/chain.pem;
}
server {
listen 443 ssl;
server_name kp2pml30.moe;
error_log /tmp/err.nginx debug;
proxy_pass self;
ssl_certificate /var/lib/acme/kp2pml30.moe/fullchain.pem;
ssl_certificate_key /var/lib/acme/kp2pml30.moe/key.pem;
ssl_trusted_certificate /var/lib/acme/kp2pml30.moe/chain.pem;
}