updated

system/machines/server/modules/nginx/default.nix

@@ -21,6 +21,8 @@ in
         CIDR ranges allowed to access private vhosts (LAN + WireGuard).
       '';
     };
+
+    searxng.enable = mkEnableOption "Publicly exposed SearXNG endpoint with secret path via sops";
   };
 
   config = mkIf cfg.enable {
@@ -28,6 +30,36 @@ in
 
     systemd.services.nginx.serviceConfig.LimitNOFILE = 65536;
 
+    environment.etc."fail2ban/filter.d/nginx-404.conf".text = ''
+      [Definition]
+      failregex = ^<HOST> - .+ "(GET|POST|HEAD|PUT|DELETE|PATCH) .+ HTTP/[0-9.]+" 404
+      ignoreregex =
+    '';
+
+    environment.etc."fail2ban/filter.d/nginx-401.conf".text = ''
+      [Definition]
+      failregex = ^<HOST> - .+ "(GET|POST|HEAD|PUT|DELETE|PATCH) .+ HTTP/[0-9.]+" 401
+      ignoreregex =
+    '';
+
+    services.fail2ban.jails.nginx-404 = ''
+      enabled   = true
+      filter    = nginx-404
+      logpath   = /var/log/nginx/access.log
+      maxretry  = 10
+      findtime  = 10m
+      bantime   = 24h
+    '';
+
+    services.fail2ban.jails.nginx-401 = ''
+      enabled   = true
+      filter    = nginx-401
+      logpath   = /var/log/nginx/access.log
+      maxretry  = 5
+      findtime  = 10m
+      bantime   = 24h
+    '';
+
     security.acme = {
       acceptTerms = true;
       defaults.email = config.user.email;
@@ -71,6 +103,28 @@ in
         };
       };
 
+      virtualHosts."wg.${domain}" = {
+        useACMEHost = domain;
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:${toString config.modules.system.wstunnel.listenPort}";
+          proxyWebsockets = true;
+          extraConfig = ''
+            proxy_read_timeout 3600s;
+            proxy_send_timeout 3600s;
+          '';
+        };
+      };
+
+      virtualHosts."searxng.${domain}" = mkIf cfg.searxng.enable {
+        useACMEHost = domain;
+        forceSSL = true;
+        locations."/".return = "404";
+        extraConfig = ''
+          include ${config.sops.templates."nginx-searxng-location.conf".path};
+        '';
+      };
+
       virtualHosts."chat.${domain}" = {
         useACMEHost = domain;
         forceSSL = true;
@@ -87,7 +141,6 @@ in
         locations."/" = {
           proxyPass = "http://192.168.0.23:8000";
           proxyWebsockets = true;
-          extraConfig = privateAccessRules;
         };
       };
 

system/machines/server/modules/wireguard/default.nix

@@ -65,6 +65,7 @@ in
 
   config = mkIf cfg.enable {
     networking.firewall.allowedUDPPorts = [ cfg.listenPort ];
+    networking.firewall.trustedInterfaces = [ "wg0" ];
     networking.nat.internalInterfaces = mkAfter [ "wg0" ];
 
     systemd.tmpfiles.rules = [

system/machines/server/modules/wstunnel/default.nix

@@ -0,0 +1,37 @@
+{ pkgs, lib, config, ... }:
+
+with lib;
+let
+  cfg = config.modules.system.wstunnel;
+in
+{
+  options.modules.system.wstunnel = {
+    enable = mkEnableOption "wstunnel WebSocket transport for WireGuard";
+
+    listenPort = mkOption {
+      type = types.port;
+      default = 8080;
+      description = "Local port wstunnel server listens on (nginx proxies to this)";
+    };
+
+    wireguardPort = mkOption {
+      type = types.port;
+      default = 51820;
+      description = "Local WireGuard port to forward traffic to";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.wstunnel = {
+      description = "wstunnel WebSocket server for WireGuard transport";
+      after = [ "network.target" "wireguard-wg0.service" ];
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        ExecStart = "${pkgs.wstunnel}/bin/wstunnel server ws://127.0.0.1:${toString cfg.listenPort} --restrict-to 127.0.0.1:${toString cfg.wireguardPort}";
+        Restart = "on-failure";
+        RestartSec = 5;
+        DynamicUser = true;
+      };
+    };
+  };
+}