2024-12-25 17:51:47 -05:00
|
|
|
{...}: {
|
|
|
|
|
services.openssh = {
|
|
|
|
|
enable = true;
|
|
|
|
|
ports = [2291];
|
2024-12-28 11:01:20 -05:00
|
|
|
authorizedKeysFiles = ["%h/.local/ssh/authorized_keys"];
|
2024-12-25 17:51:47 -05:00
|
|
|
settings = {
|
|
|
|
|
PasswordAuthentication = false;
|
|
|
|
|
PermitRootLogin = "no";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
networking.firewall.allowedTCPPorts = [2291 80 443];
|
2024-12-29 23:06:18 -05:00
|
|
|
services.fail2ban = {
|
|
|
|
|
enable = true;
|
|
|
|
|
jails = {
|
|
|
|
|
"nginx".settings = {
|
|
|
|
|
filter = "nginx-4";
|
|
|
|
|
logpath = "/var/log/nginx/access.log";
|
|
|
|
|
backend = "auto";
|
|
|
|
|
maxretry = 8;
|
|
|
|
|
bantime = 600;
|
|
|
|
|
findtime = 120;
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
environment.etc."fail2ban/filter.d/nginx-4.conf".text = ''
|
|
|
|
|
[Definition]
|
|
|
|
|
failregex = ^<HOST> - - \[.*\] \".*\" (4..).+$
|
|
|
|
|
'';
|
2024-12-25 17:51:47 -05:00
|
|
|
services.qemuGuest.enable = true;
|
|
|
|
|
services.forgejo = {
|
|
|
|
|
enable = true;
|
|
|
|
|
database.type = "sqlite3";
|
|
|
|
|
settings = {
|
|
|
|
|
DEFAULT.APP_NAME = "g.twoha.cc";
|
|
|
|
|
server = {
|
|
|
|
|
DOMAIN = "g.twoha.cc";
|
|
|
|
|
ROOT_URL = "https://g.twoha.cc";
|
|
|
|
|
HTTP_PORT = 3333;
|
|
|
|
|
LANDING_PAGE = "explore";
|
|
|
|
|
};
|
|
|
|
|
service.DISABLE_REGISTRATION = true;
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
security.acme = {
|
|
|
|
|
acceptTerms = true;
|
|
|
|
|
defaults.email = "admin+acme@twoha.cc";
|
|
|
|
|
certs."twoha.cc" = {
|
|
|
|
|
dnsProvider = "porkbun";
|
|
|
|
|
environmentFile = "/root/porkbun-creds";
|
|
|
|
|
extraDomainNames = ["*.twoha.cc"];
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
services.nginx = {
|
|
|
|
|
enable = true;
|
|
|
|
|
recommendedGzipSettings = true;
|
|
|
|
|
recommendedOptimisation = true;
|
|
|
|
|
recommendedProxySettings = true;
|
|
|
|
|
recommendedTlsSettings = true;
|
|
|
|
|
virtualHosts."twoha.cc" = {
|
|
|
|
|
useACMEHost = "twoha.cc";
|
|
|
|
|
forceSSL = true;
|
|
|
|
|
serverName = "twoha.cc";
|
2024-12-29 23:06:18 -05:00
|
|
|
locations."/".return = 401;
|
2024-12-25 17:51:47 -05:00
|
|
|
};
|
|
|
|
|
virtualHosts."u.twoha.cc" = {
|
|
|
|
|
useACMEHost = "twoha.cc";
|
|
|
|
|
forceSSL = true;
|
|
|
|
|
serverName = "u.twoha.cc";
|
|
|
|
|
root = "/var/www/u";
|
|
|
|
|
locations."/".extraConfig = ''
|
|
|
|
|
disable_symlinks off;
|
|
|
|
|
if ($request_uri ~ ^/(.*)\.html) {
|
|
|
|
|
return 302 /$1;
|
|
|
|
|
}
|
|
|
|
|
try_files $uri $uri.html $uri/ =404;
|
|
|
|
|
'';
|
|
|
|
|
locations."/_/".proxyPass = "http://127.0.0.1:5000";
|
|
|
|
|
};
|
|
|
|
|
virtualHosts."mu.twoha.cc" = {
|
|
|
|
|
useACMEHost = "twoha.cc";
|
|
|
|
|
forceSSL = true;
|
|
|
|
|
serverName = "mu.twoha.cc";
|
|
|
|
|
root = "/var/www/mu";
|
|
|
|
|
locations."/".extraConfig = ''
|
|
|
|
|
disable_symlinks off;
|
|
|
|
|
if ($request_uri ~ ^/(.*)\.html) {
|
|
|
|
|
return 302 /$1;
|
|
|
|
|
}
|
|
|
|
|
try_files $uri $uri.html $uri/ =404;
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
virtualHosts."*.twoha.cc" = {
|
|
|
|
|
useACMEHost = "twoha.cc";
|
|
|
|
|
serverName = "*.twoha.cc";
|
|
|
|
|
forceSSL = true;
|
2024-12-29 23:06:18 -05:00
|
|
|
locations."/".return = 401;
|
2024-12-25 17:51:47 -05:00
|
|
|
};
|
|
|
|
|
virtualHosts."g.twoha.cc" = {
|
|
|
|
|
forceSSL = true;
|
|
|
|
|
useACMEHost = "twoha.cc";
|
|
|
|
|
serverName = "g.twoha.cc";
|
|
|
|
|
extraConfig = ''
|
|
|
|
|
client_max_body_size 512M;
|
|
|
|
|
'';
|
|
|
|
|
locations."/".proxyPass = "http://localhost:3333";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
users.users.nginx.extraGroups = ["acme"];
|
2024-12-28 11:01:20 -05:00
|
|
|
services.tailscale.enable = true;
|
2024-12-25 17:51:47 -05:00
|
|
|
}
|
