Compare commits
2 commits
feadbd010b
...
c42316b4f6
Author | SHA1 | Date | |
---|---|---|---|
|
c42316b4f6 | ||
|
649f63f08d |
4 changed files with 49 additions and 15 deletions
|
@ -10,7 +10,13 @@
|
||||||
services.openssh.enable = true;
|
services.openssh.enable = true;
|
||||||
services.openssh.settings.PermitRootLogin = lib.mkDefault "no";
|
services.openssh.settings.PermitRootLogin = lib.mkDefault "no";
|
||||||
|
|
||||||
services.fail2ban.enable = true;
|
services.fail2ban = {
|
||||||
|
enable = true;
|
||||||
|
maxretry = 5;
|
||||||
|
ignoreIP = [
|
||||||
|
"neptune.site.deuxfleurs.fr"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
# Activate nix flakes.
|
# Activate nix flakes.
|
||||||
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
||||||
|
|
|
@ -13,6 +13,7 @@ in
|
||||||
./gitolite.nix
|
./gitolite.nix
|
||||||
./letsencrypt.nix
|
./letsencrypt.nix
|
||||||
./srv.nix
|
./srv.nix
|
||||||
|
./weechat-relay.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
# Use the GRUB 2 boot loader.
|
# Use the GRUB 2 boot loader.
|
||||||
|
|
|
@ -1,5 +1,8 @@
|
||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
up_dir = /srv/up;
|
||||||
|
in
|
||||||
{
|
{
|
||||||
services.nginx.enable = true;
|
services.nginx.enable = true;
|
||||||
|
|
||||||
|
@ -7,25 +10,29 @@
|
||||||
# in /home. So we need to use a different location.
|
# in /home. So we need to use a different location.
|
||||||
users.users."up" = {
|
users.users."up" = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
home = /srv/up;
|
home = up_dir;
|
||||||
group = config.services.nginx.group;
|
# group = config.services.nginx.group;
|
||||||
createHome = true;
|
group = "nginx";
|
||||||
homeMode = "750";
|
# Unsure why this is broken, but couldn't make things work without
|
||||||
|
# creating the directory by hand.
|
||||||
|
# createHome = true;
|
||||||
|
# homeMode = "750";
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts."srv.isomorphis.me" = {
|
services.nginx.virtualHosts."srv.isomorphis.me" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
root = config.users.users."up".home;
|
root = up_dir;
|
||||||
locations."/" = {
|
locations ={
|
||||||
extraConfig = ''
|
"/" = {
|
||||||
autoindex on;
|
extraConfig = "autoindex on;";
|
||||||
'';
|
};
|
||||||
|
"/.ssh" = {
|
||||||
|
return = "403";
|
||||||
|
};
|
||||||
|
"/i/" = {
|
||||||
|
extraConfig = "autoindex off;";
|
||||||
};
|
};
|
||||||
locations."/i/" = {
|
|
||||||
extraConfig = ''
|
|
||||||
autoindex off;
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
20
pastila/weechat-relay.nix
Normal file
20
pastila/weechat-relay.nix
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
mkProxy = port: {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass = "http://localhost:" + builtins.toString port + "/weechat";
|
||||||
|
proxyWebsockets = true;
|
||||||
|
extraConfig = ''
|
||||||
|
proxy_read_timeout 604800; # Prevent idle disconnects
|
||||||
|
proxy_set_header X-Real-IP $remote_addr; # Let WeeChat see the client's IP
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
in
|
||||||
|
{
|
||||||
|
services.nginx.enable = true;
|
||||||
|
services.nginx.virtualHosts."relayjq.isomorphis.me" = mkProxy 9001;
|
||||||
|
}
|
Loading…
Reference in a new issue