host: opt: www: Made nginx bad bot blocker into a derivation that's e…

…xtensible with patches. This will allow patching in custom white/blacklists.
aftix · Oct 14, 2024 · c1b808e · c1b808e
1 parent d8b1b30
commit c1b808e
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 4 deletions.
diff --git a/flake.nix b/flake.nix
@@ -380,6 +380,7 @@
           (appliedOverlay)
           carapace
           heisenbridge
+          nginx_blocker
           nu_plugin_audio_hook
           nu_plugin_compress
           nu_plugin_dbus

diff --git a/host/opt/www/default.nix b/host/opt/www/default.nix
@@ -6,7 +6,6 @@
 }: let
   inherit (lib.options) mkOption;
 
-  inherit (config.dep-inject) inputs;
   cfg = config.my.www;
 in {
   imports = [
@@ -65,6 +64,11 @@ in {
       default = 599;
       type = lib.types.ints.positive;
     };
+
+    nginxBlockerPatches = mkOption {
+      default = [];
+      type = lib.types.listOf lib.types.path;
+    };
   };
 
   config = {
@@ -117,10 +121,12 @@ in {
       openssh.settings.AllowUsers = [cfg.user];
     };
 
-    systemd.tmpfiles.rules = [
+    systemd.tmpfiles.rules = let
+      blockerPkg = pkgs.nginx_blocker.overrideAttrs {patches = cfg.nginxBlockerPatches;};
+    in [
       "d ${cfg.root} 0775 ${cfg.user} ${cfg.group} -"
-      "L+ /etc/nginx/conf.d - - - - ${inputs.nginxBlacklist}/conf.d"
-      "L+ /etc/nginx/bots.d - - - - ${inputs.nginxBlacklist}/bots.d"
+      "L+ /etc/nginx/conf.d - - - - ${blockerPkg}/conf.d"
+      "L+ /etc/nginx/bots.d - - - - ${blockerPkg}/bots.d"
     ];
 
     security.acme = {

diff --git a/overlay.nix b/overlay.nix
@@ -18,6 +18,8 @@ inputs: final: prev: {
     };
   });
 
+  nginx_blocker = final.callPackage ./packages/nginx_blocker.nix {inherit (inputs) nginxBlacklist;};
+
   nu_plugin_audio_hook = final.callPackage ./packages/nu_plugin_audio_hook.nix {};
   nu_plugin_compress = final.callPackage ./packages/nu_plugin_compress.nix {};
   nu_plugin_dbus = final.callPackage ./packages/nu_plugin_dbus.nix {};

diff --git a/packages/nginx_blocker.nix b/packages/nginx_blocker.nix
@@ -0,0 +1,23 @@
+{
+  lib,
+  stdenv,
+  nginxBlacklist,
+}:
+stdenv.mkDerivation {
+  pname = "nginx-ultimate-bad-bot-blocker";
+  version = "1";
+
+  src = nginxBlacklist;
+
+  installPhase = ''
+    mkdir -p "$out"
+    cp -R *.d "$out/."
+  '';
+
+  meta = with lib; {
+    description = "nginx ultimate bad bot blocker";
+    homepage = "https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker";
+    license = licenses.mit;
+    platforms = with platforms; all;
+  };
+}