diff --git a/flake.nix b/flake.nix index 15ff61b..f247136 100644 --- a/flake.nix +++ b/flake.nix @@ -37,6 +37,7 @@ kp2pml30.server = { hostname = "kp2pml30.moe"; + nginx = true; }; } diff --git a/nix/hardware/server.nix b/nix/hardware/server.nix index 5c074de..1be50df 100644 --- a/nix/hardware/server.nix +++ b/nix/hardware/server.nix @@ -35,8 +35,6 @@ boot = { loader.grub = { enable = true; - #efiSupport = true; - #efiInstallAsRemovable = true; devices = [ "/dev/vda" ]; }; }; diff --git a/nix/server/default.nix b/nix/server/default.nix index 2e66211..8315675 100644 --- a/nix/server/default.nix +++ b/nix/server/default.nix @@ -17,12 +17,17 @@ in { }; nginx = lib.mkEnableOption ""; + + sitePath = lib.mkOption { + type = lib.types.str; + }; }; imports = [ ./ssh.nix ./nginx.nix ./boot.nix + ./site.nix ]; config = { diff --git a/nix/server/nginx.nix b/nix/server/nginx.nix index b9b5d4b..a65ce2b 100644 --- a/nix/server/nginx.nix +++ b/nix/server/nginx.nix @@ -5,13 +5,16 @@ }: let cfg = config.kp2pml30.server; + acmeRoot = "/var/lib/acme/acme-challenge"; in lib.mkIf cfg.nginx { security.acme = { acceptTerms = true; + maxConcurrentRenewals = 1; defaults.email = "kp2pml30@gmail.com"; + #defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; certs."${cfg.hostname}" = { - serverAliases = [ "*.${cfg.hostname}" ]; - webroot = "/var/lib/acme/.challenges"; + extraDomainNames = [ "pr.${cfg.hostname}" "www.${cfg.hostname}" ]; + webroot = acmeRoot; group = "nginx"; }; }; @@ -21,15 +24,17 @@ in lib.mkIf cfg.nginx { virtualHosts."${cfg.hostname}" = { addSSL = true; + # forceSSL = true; enableACME = true; + acmeRoot = acmeRoot; + listen = [ - { port = 80; } + { addr = "0.0.0.0"; port = 80; } + { addr = "0.0.0.0"; port = 444; ssl = true; } ]; - locations."/.well-known/acme-challenge/" = { - root = "/var/lib/acme/.challenges"; - }; + locations."/" = { - return = 404; + root = cfg.sitePath; }; }; diff --git a/nix/server/site.nix b/nix/server/site.nix new file mode 100644 index 0000000..96b4826 --- /dev/null +++ b/nix/server/site.nix @@ -0,0 +1,16 @@ +{ config +, pkgs +, lib +, ... +}@args: +let + cfg = config.kp2pml30.server; + src = builtins.fetchGit { + url = "https://github.com/kp2pml30/kp2pml30.github.io.git"; + rev = "0a887a1cd439c93efbe7d46c158102387b6fc470"; + }; + pack = (import "${src}/release.nix" args); +in lib.mkIf cfg.nginx { + environment.systemPackages = [ pack ]; + kp2pml30.server.sitePath = pack.outPath; +} diff --git a/nix/server/ssh.nix b/nix/server/ssh.nix index b40fe6a..c324122 100644 --- a/nix/server/ssh.nix +++ b/nix/server/ssh.nix @@ -17,4 +17,14 @@ in { AllowUsers = [ cfg.username ]; }; }; + + services.fail2ban = { + enable = true; + maxretry = 5; + bantime = "168h"; + bantime-increment = { + enable = true; + formula = "ban.Time * ban.Time"; + }; + }; } diff --git a/nix/server/stream.nginx b/nix/server/stream.nginx index 49320b4..3b6c002 100644 --- a/nix/server/stream.nginx +++ b/nix/server/stream.nginx @@ -77,10 +77,29 @@ upstream deny { server 127.0.0.1:9; } -server { - listen 443; - proxy_pass $name; - ssl_preread on; - error_log /dev/null; - access_log off; +upstream self { + server 127.0.0.1:80; +} + +server { + listen 443 ssl; + server_name pr.kp2pml30.moe; + proxy_pass $name; + ssl_preread on; + + ssl_certificate /var/lib/acme/kp2pml30.moe/fullchain.pem; + ssl_certificate_key /var/lib/acme/kp2pml30.moe/key.pem; + ssl_trusted_certificate /var/lib/acme/kp2pml30.moe/chain.pem; +} + +server { + listen 443 ssl; + server_name kp2pml30.moe; + error_log /tmp/err.nginx debug; + + proxy_pass self; + + ssl_certificate /var/lib/acme/kp2pml30.moe/fullchain.pem; + ssl_certificate_key /var/lib/acme/kp2pml30.moe/key.pem; + ssl_trusted_certificate /var/lib/acme/kp2pml30.moe/chain.pem; }