{ config, service_configs, pkgs, lib, inputs, ... }: let theme = pkgs.fetchFromGitHub { owner = "kaiiiz"; repo = "hugo-theme-monochrome"; rev = "d17e05715e91f41a842f2656e6bdd70cba73de91"; sha256 = "h9I2ukugVrldIC3SXefS0L3R245oa+TuRChOCJJgF24="; }; hugo-neko = pkgs.fetchFromGitHub { owner = "ystepanoff"; repo = "hugo-neko"; rev = "5a50034acbb1ae0cec19775af64e7167ca22725e"; sha256 = "VLwr4zEeFQU/b+vj0XTLSuEiosuNFu2du4uud7m8bnw="; }; hugoWebsite = pkgs.stdenv.mkDerivation { pname = "hugo-site"; version = "0.1"; src = inputs.website; nativeBuildInputs = with pkgs; [ hugo go git ]; installPhase = '' rm -fr themes/theme modules/hugo-neko cp -r ${theme} themes/theme cp -r ${hugo-neko} modules/hugo-neko hugo --minify -d $out; ''; }; in { imports = [ (lib.serviceMountWithZpool "caddy" service_configs.zpool_ssds [ config.services.caddy.dataDir ]) ]; services.caddy = { enable = true; email = "titaniumtown@proton.me"; virtualHosts = { ${service_configs.https.domain} = { extraConfig = '' root * ${hugoWebsite} file_server browse ''; serverAliases = [ "www.${service_configs.https.domain}" ]; }; }; }; systemd.tmpfiles.rules = [ "d ${config.services.caddy.dataDir} 700 ${config.services.caddy.user} ${config.services.caddy.group}" ]; systemd.packages = with pkgs; [ nssTools ]; networking.firewall.allowedTCPPorts = [ service_configs.ports.https # http (but really acmeCA challenges) service_configs.ports.http ]; networking.firewall.allowedUDPPorts = [ service_configs.ports.https ]; # Protect Caddy basic auth endpoints from brute force attacks services.fail2ban.jails.caddy-auth = { enabled = true; settings = { backend = "auto"; port = "http,https"; logpath = "/var/log/caddy/access-*.log"; # defaults: maxretry=5, findtime=10m, bantime=10m }; filter.Definition = { # Match Caddy JSON logs with 401 Unauthorized status (failed basic auth) failregex = ''^.*"remote_ip":"".*"status":401.*$''; ignoreregex = ""; datepattern = ''"ts":{Epoch}\.''; }; }; }