Merge branch 'master' of ssh://github.com/pniedzwiedzinski/dots

3 files changed, 70 insertions, 1 deletions

diff --git a/machines/srv1/configuration.nix b/machines/srv1/configuration.nix
index ff7b6a1..ea7d730 100644
--- a/machines/srv1/configuration.nix
+++ b/machines/srv1/configuration.nix
@@ -1,5 +1,7 @@
 { config, pkgs, ... }:
 let
+  ModSecurity-nginx = pkgs.callPackage ./modsecurity.nix { };
+  crs = pkgs.callPackage ./coreruleset.nix { };
   nvim = (import (pkgs.fetchzip {
     url = "https://github.com/nixos/nixpkgs/archive/517c29935b6e4dec12571e7d101e2b0da220263d.zip";
     sha256 = "1s85sz62iykvca90d3cgd981670rnkd5c171wda7wpwdj0d52sf3";
@@ -99,18 +101,31 @@ in
   services.sshguard.enable = true;
 
   services.nginx.enable = true;
+  services.nginx.package = (pkgs.nginx.override { modules = [ ModSecurity-nginx ]; });
   services.nginx.appendHttpConfig = ''
+    modsecurity on;
+    # modsecurity_rules '
+    #   SecRuleEngine On
+    #   Include ${crs}/crs-setup.conf;
+    #   Include ${crs}/rules/*.conf;
+    # ';
     charset utf-8;
     source_charset utf-8;
   '';
   services.nginx.virtualHosts = {
-    "srv1.niedzwiedzinski.cyou" = {
+    "srv1.niedzwiedzinski.cyou" = let
+      modsec_config = builtins.toFile "modsecurity_rules.conf" ''
+        SecRuleEngine On
+        SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"
+      '';
+    in {
       enableACME = true;
       forceSSL = true;
       extraConfig = ''
         location ~ /*.md {
 	  types { } default_type "text/markdown; charset=utf-8";
         }
+        modsecurity_rules_file ${modsec_config};
       '';
       root = "/var/www/srv1.niedzwiedzinski.cyou";
     };
@@ -122,6 +137,12 @@ in
     "rss.srv1.niedzwiedzinski.cyou" = {
       enableACME = true;
       forceSSL = true;
+      extraConfig = ''
+        modsecurity_rules '
+          SecRuleEngine On
+          SecRule ARGS:u "@rx life[-_]*hack(s)?" "id:1234,deny,status:403"
+        ';
+      '';
     };
     "git.niedzwiedzinski.cyou" = {
       locations."/".proxyPass = "http://0.0.0.0:8080/cgit/";
@@ -135,6 +156,14 @@ in
       enableACME = true;
       addSSL = true;
       root = "/var/www/tmp.niedzwiedzinski.cyou";
+      extraConfig = ''
+        modsecurity_rules '
+          SecRuleEngine On
+          SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"
+          Include ${crs}/crs-setup.conf
+          Include ${crs}/all-rules.conf
+        ';
+      '';
     };
     "niedzwiedzinski.cyou" = {
       enableACME = true;
diff --git a/machines/srv1/coreruleset.nix b/machines/srv1/coreruleset.nix
new file mode 100644
index 0000000..c52c898
--- /dev/null
+++ b/machines/srv1/coreruleset.nix
@@ -0,0 +1,21 @@
+{ stdenv, fetchFromGitHub }:
+stdenv.mkDerivation {
+  pname = "coreruleset";
+  version = "3.3.0";
+
+  src = fetchFromGitHub {
+    owner = "coreruleset";
+    repo = "coreruleset";
+    rev = "v3.3.0";
+    sha256 = "sha256:10z1051iwna5x8b8cl29frs5nx3s6ip7hc4mjkgh7vkck8ly4pjm";
+  };
+
+  installPhase = ''
+    mkdir $out
+    cp crs-setup.conf.example $out/crs-setup.conf
+    cp -r rules $out
+    for f in rules/*.conf; do
+      echo "Include \"$out/$f\"" >> $out/all-rules.conf
+    done
+  '';
+}
diff --git a/machines/srv1/modsecurity.nix b/machines/srv1/modsecurity.nix
new file mode 100644
index 0000000..85dd4d1
--- /dev/null
+++ b/machines/srv1/modsecurity.nix
@@ -0,0 +1,19 @@
+{ stdenv, fetchFromGitHub, libmodsecurity }:
+let
+  pname = "ModSecurity-nginx";
+  version = "1.0.1";
+in
+stdenv.mkDerivation {
+  inherit pname version;
+
+  src = fetchFromGitHub {
+    owner = "SpiderLabs";
+    repo = "ModSecurity-nginx";
+    rev = "v${version}";
+    sha256 = "sha256:0cbb3g3g4v6q5zc6an212ia5kjjad62bidnkm8b70i4qv1615pzf";
+  };
+
+  inputs = [ libmodsecurity ];
+
+}
+