server enhancements

flake.nix

@@ -37,6 +37,7 @@
 
 							kp2pml30.server = {
 								hostname = "kp2pml30.moe";
+								nginx = true;
 							};
 						}
 

nix/hardware/server.nix

@@ -35,8 +35,6 @@
 	boot = {
 		loader.grub = {
 			enable = true;
-			#efiSupport = true;
-			#efiInstallAsRemovable = true;
 			devices = [ "/dev/vda" ];
 		};
 	};

nix/server/default.nix

@@ -17,12 +17,17 @@ in {
 		};
 
 		nginx = lib.mkEnableOption "";
+
+		sitePath = lib.mkOption {
+			type = lib.types.str;
+		};
 	};
 
 	imports =  [
 		./ssh.nix
 		./nginx.nix
 		./boot.nix
+		./site.nix
 	];
 
 	config = {

nix/server/nginx.nix

@@ -5,13 +5,16 @@
 }:
 let
 	cfg = config.kp2pml30.server;
+	acmeRoot = "/var/lib/acme/acme-challenge";
 in lib.mkIf cfg.nginx {
 	security.acme = {
 		acceptTerms = true;
+		maxConcurrentRenewals = 1;
 		defaults.email = "kp2pml30@gmail.com";
+		#defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
 		certs."${cfg.hostname}" = {
-			serverAliases = [ "*.${cfg.hostname}" ];
+			extraDomainNames = [ "pr.${cfg.hostname}" "www.${cfg.hostname}" ];
-			webroot = "/var/lib/acme/.challenges";
+			webroot = acmeRoot;
 			group = "nginx";
 		};
 	};
@@ -21,15 +24,17 @@ in lib.mkIf cfg.nginx {
 
 		virtualHosts."${cfg.hostname}" = {
 			addSSL = true;
+			# forceSSL = true;
 			enableACME = true;
+			acmeRoot = acmeRoot;
+
 			listen = [
-				{ port = 80; }
+				{ addr = "0.0.0.0"; port = 80; }
+				{ addr = "0.0.0.0"; port = 444; ssl = true; }
 			];
-			locations."/.well-known/acme-challenge/" = {
+
-				root = "/var/lib/acme/.challenges";
-			};
 			locations."/" = {
-				return = 404;
+				root = cfg.sitePath;
 			};
 		};
 

nix/server/site.nix

@@ -0,0 +1,16 @@
+{ config
+, pkgs
+, lib
+, ...
+}@args:
+let
+	cfg = config.kp2pml30.server;
+	src = builtins.fetchGit {
+		url = "https://github.com/kp2pml30/kp2pml30.github.io.git";
+		rev = "0a887a1cd439c93efbe7d46c158102387b6fc470";
+	};
+	pack = (import "${src}/release.nix" args);
+in lib.mkIf cfg.nginx {
+	environment.systemPackages = [ pack ];
+	kp2pml30.server.sitePath = pack.outPath;
+}

nix/server/ssh.nix

@@ -17,4 +17,14 @@ in {
 			AllowUsers = [ cfg.username ];
 		};
 	};
+
+	services.fail2ban = {
+		enable = true;
+		maxretry = 5;
+		bantime = "168h";
+		bantime-increment = {
+			enable = true;
+			formula = "ban.Time * ban.Time";
+		};
+	};
 }

nix/server/stream.nginx

@@ -77,10 +77,29 @@ upstream deny {
 	server 127.0.0.1:9;
 }
 
-server {
+upstream self {
-	listen                443;
+	server 127.0.0.1:80;
-	proxy_pass            $name;
+}
-	ssl_preread           on;
+
-	error_log             /dev/null;
+server {
-	access_log            off;
+	listen          443 ssl;
+	server_name     pr.kp2pml30.moe;
+	proxy_pass      $name;
+	ssl_preread     on;
+
+	ssl_certificate         /var/lib/acme/kp2pml30.moe/fullchain.pem;
+	ssl_certificate_key     /var/lib/acme/kp2pml30.moe/key.pem;
+	ssl_trusted_certificate /var/lib/acme/kp2pml30.moe/chain.pem;
+}
+
+server {
+	listen 443 ssl;
+	server_name kp2pml30.moe;
+	error_log   /tmp/err.nginx debug;
+
+	proxy_pass self;
+
+	ssl_certificate         /var/lib/acme/kp2pml30.moe/fullchain.pem;
+	ssl_certificate_key     /var/lib/acme/kp2pml30.moe/key.pem;
+	ssl_trusted_certificate /var/lib/acme/kp2pml30.moe/chain.pem;
 }