From c1b808edac82f1308860fd09bacd17722a8a3437 Mon Sep 17 00:00:00 2001
From: aftix <aftix@aftix.xyz>
Date: Sun, 13 Oct 2024 23:08:51 -0500
Subject: [PATCH] host: opt: www: Made nginx bad bot blocker into a derivation
 that's extensible with patches.

This will allow patching in custom white/blacklists.
---
 flake.nix                  |  1 +
 host/opt/www/default.nix   | 14 ++++++++++----
 overlay.nix                |  2 ++
 packages/nginx_blocker.nix | 23 +++++++++++++++++++++++
 4 files changed, 36 insertions(+), 4 deletions(-)
 create mode 100644 packages/nginx_blocker.nix

diff --git a/flake.nix b/flake.nix
index f7eeef5..b2f1081 100644
--- a/flake.nix
+++ b/flake.nix
@@ -380,6 +380,7 @@
           (appliedOverlay)
           carapace
           heisenbridge
+          nginx_blocker
           nu_plugin_audio_hook
           nu_plugin_compress
           nu_plugin_dbus
diff --git a/host/opt/www/default.nix b/host/opt/www/default.nix
index 8c831e3..3ad13c2 100644
--- a/host/opt/www/default.nix
+++ b/host/opt/www/default.nix
@@ -6,7 +6,6 @@
 }: let
   inherit (lib.options) mkOption;
 
-  inherit (config.dep-inject) inputs;
   cfg = config.my.www;
 in {
   imports = [
@@ -65,6 +64,11 @@ in {
       default = 599;
       type = lib.types.ints.positive;
     };
+
+    nginxBlockerPatches = mkOption {
+      default = [];
+      type = lib.types.listOf lib.types.path;
+    };
   };
 
   config = {
@@ -117,10 +121,12 @@ in {
       openssh.settings.AllowUsers = [cfg.user];
     };
 
-    systemd.tmpfiles.rules = [
+    systemd.tmpfiles.rules = let
+      blockerPkg = pkgs.nginx_blocker.overrideAttrs {patches = cfg.nginxBlockerPatches;};
+    in [
       "d ${cfg.root} 0775 ${cfg.user} ${cfg.group} -"
-      "L+ /etc/nginx/conf.d - - - - ${inputs.nginxBlacklist}/conf.d"
-      "L+ /etc/nginx/bots.d - - - - ${inputs.nginxBlacklist}/bots.d"
+      "L+ /etc/nginx/conf.d - - - - ${blockerPkg}/conf.d"
+      "L+ /etc/nginx/bots.d - - - - ${blockerPkg}/bots.d"
     ];
 
     security.acme = {
diff --git a/overlay.nix b/overlay.nix
index 91a8d81..644fdd6 100644
--- a/overlay.nix
+++ b/overlay.nix
@@ -18,6 +18,8 @@ inputs: final: prev: {
     };
   });
 
+  nginx_blocker = final.callPackage ./packages/nginx_blocker.nix {inherit (inputs) nginxBlacklist;};
+
   nu_plugin_audio_hook = final.callPackage ./packages/nu_plugin_audio_hook.nix {};
   nu_plugin_compress = final.callPackage ./packages/nu_plugin_compress.nix {};
   nu_plugin_dbus = final.callPackage ./packages/nu_plugin_dbus.nix {};
diff --git a/packages/nginx_blocker.nix b/packages/nginx_blocker.nix
new file mode 100644
index 0000000..2057a6c
--- /dev/null
+++ b/packages/nginx_blocker.nix
@@ -0,0 +1,23 @@
+{
+  lib,
+  stdenv,
+  nginxBlacklist,
+}:
+stdenv.mkDerivation {
+  pname = "nginx-ultimate-bad-bot-blocker";
+  version = "1";
+
+  src = nginxBlacklist;
+
+  installPhase = ''
+    mkdir -p "$out"
+    cp -R *.d "$out/."
+  '';
+
+  meta = with lib; {
+    description = "nginx ultimate bad bot blocker";
+    homepage = "https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker";
+    license = licenses.mit;
+    platforms = with platforms; all;
+  };
+}