diff options
Diffstat (limited to 'machines/srv1')
| -rw-r--r-- | machines/srv1/configuration.nix | 31 | ||||
| -rw-r--r-- | machines/srv1/coreruleset.nix | 21 | ||||
| -rw-r--r-- | machines/srv1/modsecurity.nix | 19 |
3 files changed, 70 insertions, 1 deletions
diff --git a/machines/srv1/configuration.nix b/machines/srv1/configuration.nix index ff7b6a1..ea7d730 100644 --- a/machines/srv1/configuration.nix +++ b/machines/srv1/configuration.nix @@ -1,5 +1,7 @@ { config, pkgs, ... }: let + ModSecurity-nginx = pkgs.callPackage ./modsecurity.nix { }; + crs = pkgs.callPackage ./coreruleset.nix { }; nvim = (import (pkgs.fetchzip { url = "https://github.com/nixos/nixpkgs/archive/517c29935b6e4dec12571e7d101e2b0da220263d.zip"; sha256 = "1s85sz62iykvca90d3cgd981670rnkd5c171wda7wpwdj0d52sf3"; @@ -99,18 +101,31 @@ in services.sshguard.enable = true; services.nginx.enable = true; + services.nginx.package = (pkgs.nginx.override { modules = [ ModSecurity-nginx ]; }); services.nginx.appendHttpConfig = '' + modsecurity on; + # modsecurity_rules ' + # SecRuleEngine On + # Include ${crs}/crs-setup.conf; + # Include ${crs}/rules/*.conf; + # '; charset utf-8; source_charset utf-8; ''; services.nginx.virtualHosts = { - "srv1.niedzwiedzinski.cyou" = { + "srv1.niedzwiedzinski.cyou" = let + modsec_config = builtins.toFile "modsecurity_rules.conf" '' + SecRuleEngine On + SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403" + ''; + in { enableACME = true; forceSSL = true; extraConfig = '' location ~ /*.md { types { } default_type "text/markdown; charset=utf-8"; } + modsecurity_rules_file ${modsec_config}; ''; root = "/var/www/srv1.niedzwiedzinski.cyou"; }; @@ -122,6 +137,12 @@ in "rss.srv1.niedzwiedzinski.cyou" = { enableACME = true; forceSSL = true; + extraConfig = '' + modsecurity_rules ' + SecRuleEngine On + SecRule ARGS:u "@rx life[-_]*hack(s)?" "id:1234,deny,status:403" + '; + ''; }; "git.niedzwiedzinski.cyou" = { locations."/".proxyPass = "http://0.0.0.0:8080/cgit/"; @@ -135,6 +156,14 @@ in enableACME = true; addSSL = true; root = "/var/www/tmp.niedzwiedzinski.cyou"; + extraConfig = '' + modsecurity_rules ' + SecRuleEngine On + SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403" + Include ${crs}/crs-setup.conf + Include ${crs}/all-rules.conf + '; + ''; }; "niedzwiedzinski.cyou" = { enableACME = true; diff --git a/machines/srv1/coreruleset.nix b/machines/srv1/coreruleset.nix new file mode 100644 index 0000000..c52c898 --- /dev/null +++ b/machines/srv1/coreruleset.nix @@ -0,0 +1,21 @@ +{ stdenv, fetchFromGitHub }: +stdenv.mkDerivation { + pname = "coreruleset"; + version = "3.3.0"; + + src = fetchFromGitHub { + owner = "coreruleset"; + repo = "coreruleset"; + rev = "v3.3.0"; + sha256 = "sha256:10z1051iwna5x8b8cl29frs5nx3s6ip7hc4mjkgh7vkck8ly4pjm"; + }; + + installPhase = '' + mkdir $out + cp crs-setup.conf.example $out/crs-setup.conf + cp -r rules $out + for f in rules/*.conf; do + echo "Include \"$out/$f\"" >> $out/all-rules.conf + done + ''; +} diff --git a/machines/srv1/modsecurity.nix b/machines/srv1/modsecurity.nix new file mode 100644 index 0000000..85dd4d1 --- /dev/null +++ b/machines/srv1/modsecurity.nix @@ -0,0 +1,19 @@ +{ stdenv, fetchFromGitHub, libmodsecurity }: +let + pname = "ModSecurity-nginx"; + version = "1.0.1"; +in +stdenv.mkDerivation { + inherit pname version; + + src = fetchFromGitHub { + owner = "SpiderLabs"; + repo = "ModSecurity-nginx"; + rev = "v${version}"; + sha256 = "sha256:0cbb3g3g4v6q5zc6an212ia5kjjad62bidnkm8b70i4qv1615pzf"; + }; + + inputs = [ libmodsecurity ]; + +} + |