updated

2026-05-08 14:50:12 -04:00 · 2026-04-13 15:57:27 -04:00 · 2026-04-13 15:57:27 -04:00 · 6692807229
commit 6692807229
parent cb7d7d2476
6 changed files with 140 additions and 3 deletions
--- a/system/machines/server/modules/nginx/default.nix
+++ b/system/machines/server/modules/nginx/default.nix
@ -21,6 +21,8 @@ in
        CIDR ranges allowed to access private vhosts (LAN + WireGuard).
      '';
    };
+
+    searxng.enable = mkEnableOption "Publicly exposed SearXNG endpoint with secret path via sops";
  };

  config = mkIf cfg.enable {
@ -28,6 +30,36 @@ in

    systemd.services.nginx.serviceConfig.LimitNOFILE = 65536;

+    environment.etc."fail2ban/filter.d/nginx-404.conf".text = ''
+      [Definition]
+      failregex = ^<HOST> - .+ "(GET|POST|HEAD|PUT|DELETE|PATCH) .+ HTTP/[0-9.]+" 404
+      ignoreregex =
+    '';
+
+    environment.etc."fail2ban/filter.d/nginx-401.conf".text = ''
+      [Definition]
+      failregex = ^<HOST> - .+ "(GET|POST|HEAD|PUT|DELETE|PATCH) .+ HTTP/[0-9.]+" 401
+      ignoreregex =
+    '';
+
+    services.fail2ban.jails.nginx-404 = ''
+      enabled   = true
+      filter    = nginx-404
+      logpath   = /var/log/nginx/access.log
+      maxretry  = 10
+      findtime  = 10m
+      bantime   = 24h
+    '';
+
+    services.fail2ban.jails.nginx-401 = ''
+      enabled   = true
+      filter    = nginx-401
+      logpath   = /var/log/nginx/access.log
+      maxretry  = 5
+      findtime  = 10m
+      bantime   = 24h
+    '';
+
    security.acme = {
      acceptTerms = true;
      defaults.email = config.user.email;
@ -71,6 +103,28 @@ in
        };
      };

+      virtualHosts."wg.${domain}" = {
+        useACMEHost = domain;
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:${toString config.modules.system.wstunnel.listenPort}";
+          proxyWebsockets = true;
+          extraConfig = ''
+            proxy_read_timeout 3600s;
+            proxy_send_timeout 3600s;
+          '';
+        };
+      };
+
+      virtualHosts."searxng.${domain}" = mkIf cfg.searxng.enable {
+        useACMEHost = domain;
+        forceSSL = true;
+        locations."/".return = "404";
+        extraConfig = ''
+          include ${config.sops.templates."nginx-searxng-location.conf".path};
+        '';
+      };
+
      virtualHosts."chat.${domain}" = {
        useACMEHost = domain;
        forceSSL = true;
@ -87,7 +141,6 @@ in
        locations."/" = {
          proxyPass = "http://192.168.0.23:8000";
          proxyWebsockets = true;
-          extraConfig = privateAccessRules;
        };
      };