ringofstorms/dotfiles
ringofstorms/dotfiles
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
dotfiles/hosts/oracle/o001/nginx.nix

313 lines
8.9 KiB
Nix
Raw Blame History

{
config,
...
}:
let
apiKeyFile = config.age.secrets.litellm_public_api_key.path;
in
{
# JUST A TEST TODO remove
containers.wasabi = {
ephemeral = true;
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.2";
localAddress = "192.168.100.11";
config =
{ config, pkgs, ... }:
{
system.stateVersion = "24.11";
services.httpd.enable = true;
services.httpd.adminAddr = "foo@example.org";
networking.firewall = {
enable = true;
allowedTCPPorts = [ 80 ];
};
};
};
security.acme.acceptTerms = true;
security.acme.defaults.email = "admin@joshuabell.xyz";
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
clientMaxBodySize = "500m";
commonHttpConfig = ''
log_format noauth '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
'';
virtualHosts =
let
tailnetConfig = {
locations = {
"/" = {
extraConfig = ''
default_type text/html;
return 200 '
<html>
jRmvVcy0mlTrVJGiPMHsiCF6pQ2JCDNe2LiYJwcwgm8=
</html>
';
'';
};
};
};
in
{
# Redirect self IP to domain
"64.181.210.7" = {
locations."/" = {
return = "301 https://joshuabell.xyz";
};
};
"100.64.0.11" = tailnetConfig;
"o001.net.joshuabell.xyz" = tailnetConfig;
"www.joshuabell.xyz" = {
enableACME = true;
forceSSL = true;
locations."/" = {
return = "301 https://joshuabell.xyz";
};
};
"joshuabell.xyz" = {
enableACME = true;
forceSSL = true;
locations = {
"~ ^/ttyd-t(.*)$" = {
proxyPass = "http://100.64.0.8:9999";
extraConfig = ''
rewrite ^/ttyd-tempus(.*) /$1 break;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 1d; # dont kill connection after 60s of inactivity
'';
};
# "~ ^/tunnel_tempus/(?<port>[0-9]+)(.*)$" = {
# extraConfig = ''
# set $target_port $port;
# rewrite ^/tunnel_tempus/(?<port>[0-9]+)(.*)$ /$2 break;
# proxy_pass http://100.64.0.8:$target_port;
# proxy_http_version 1.1;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "upgrade";
# proxy_set_header Host $host;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header X-Forwarded-Port $server_port;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_read_timeout 1d; # dont kill connection after 60s of inactivity
# '';
# };
"/wasabi" = {
proxyPass = "http://192.168.100.11/";
extraConfig = ''
rewrite ^/wasabi/(.*) /$1 break;
'';
};
"/" = {
# return = "200 '<html>Hello World</html>'";
extraConfig = ''
default_type text/html;
return 200 '
<html>
<body style="width:100vw;height:100vh;overflow:hidden">
<div style="display: flex;width:100vw;height:100vh;justify-content: center;align-items:center;text-align:center;overflow:hidden">
In the void you roam,</br>
A page that cannot be found-</br>
Turn back, seek anew.
</div>
</body>
</html>
';
'';
};
};
};
"www.ellalala.com" = {
enableACME = true;
forceSSL = true;
locations."/" = {
return = "301 https://ellalala.com";
};
};
"ellalala.com" = {
enableACME = true;
forceSSL = true;
locations."/" = {
return = "444";
};
};
# PROXY HOSTS
"chat.joshuabell.xyz" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyWebsockets = true;
proxyPass = "http://100.64.0.13";
};
};
"gist.joshuabell.xyz" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://100.64.0.13";
};
};
"git.joshuabell.xyz" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://100.64.0.13";
};
};
"n8n.joshuabell.xyz" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyWebsockets = true;
proxyPass = "http://100.64.0.13";
};
};
"notes.joshuabell.xyz" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyWebsockets = true;
proxyPass = "http://100.64.0.13";
};
};
"blog.joshuabell.xyz" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyWebsockets = true;
proxyPass = "http://100.64.0.13";
};
};
"sec.joshuabell.xyz" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://100.64.0.13";
};
};
"sso.joshuabell.xyz" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://100.64.0.13";
extraConfig = ''
proxy_set_header X-Forwarded-Proto https;
'';
};
};
"sso-proxy.joshuabell.xyz" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://100.64.0.13";
extraConfig = ''
proxy_set_header X-Forwarded-Proto https;
'';
};
};
"jellyfin.joshuabell.xyz" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://100.64.0.13";
};
};
"media.joshuabell.xyz" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://100.64.0.13";
};
};
"llm.joshuabell.xyz" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
access_log /var/log/nginx/llm.access.log noauth;
'';
locations."/" = {
proxyWebsockets = true;
proxyPass = "http://100.64.0.13:8095";
extraConfig = ''
# API key auth - secret file contains: if ($http_authorization != "Bearer sk-xxx") { return 401; }
include ${apiKeyFile};
'';
};
};
"_" = {
rejectSSL = true;
default = true;
locations."/" = {
return = "444"; # 404 for not found or 444 for drop
};
};
};
# STREAMS
streamConfig = ''
server {
listen 3032;
proxy_pass 100.64.0.13:3032;
}
'';
};
services.fail2ban = {
enable = true;
maxretry = 5;
bantime = "1h";
ignoreIP = [
"127.0.0.1/8"
"24.16.158.91" # Jason's ip
];
bantime-increment = {
enable = true;
maxtime = "168h";
factor = "4";
};
jails = {
nginx-llm-auth.settings = {
enabled = true;
filter = "nginx-llm-auth";
backend = "polling";
logpath = "/var/log/nginx/llm.access.log";
maxretry = 5;
findtime = "10m";
bantime = "1h";
};
};
};
environment.etc."fail2ban/filter.d/nginx-llm-auth.conf".text = ''
[Definition]
failregex = ^<HOST> .* "(GET|POST|PUT|DELETE|PATCH|OPTIONS) .* HTTP/[0-9.]+" 401
ignoreregex =
'';
# NOTE Oracle also has security rules that must expose these ports so this alone will not work! See readme
networking.firewall.allowedTCPPorts = [
80 # web http
443 # web https
3032 # ssh for git server
];
}
Reference in a new issue View git blame Copy permalink