lightsail-tokyo/caddy: add hardening and robots.txt

2024-05-04 16:12:36 +08:00 · 2024-05-04 16:12:36 +08:00 · 857885567e
commit 857885567e
parent 8e7e6addaa
3 changed files with 110 additions and 38 deletions
--- a/hosts/lightsail-tokyo/Caddyfile
+++ b/hosts/lightsail-tokyo/Caddyfile
@ -0,0 +1,69 @@
 {
 	# Disables HTTP/3 for Hysteria
 	# https://github.com/apernet/hysteria/issues/768
 	servers :443 {
 		protocols h1 h2 h2c
 	}
 }
 (header) {
 	header {
 		# https://observatory.mozilla.org/analyze/ny4.dev
 		# https://infosec.mozilla.org/guidelines/web_security
 		# https://caddyserver.com/docs/caddyfile/directives/header#examples
 		Content-Security-Policy "default-src https: 'unsafe-eval' 'unsafe-inline'; object-src 'none'"
 		Permissions-Policy interest-Hpcohort=()
 		Strict-Transport-Security max-age=31536000;
 		X-Content-Type-Options nosniff
 		X-Frame-Options DENY
 	}
 }
 (compression) {
 	encode zstd gzip
 }
 (robots) {
 	handle_path /robots.txt {
 		file_server * {
 			root /var/www/robots/robots.txt
 		}
 	}
 }
 (default) {
 	import header
 	import compression
 	import robots
 }
 www.ny4.dev {
 	import default
 	redir https://ny4.dev
 }
 ny4.dev {
 	import default
 	respond "Hello, world!"
 }
 searx.ny4.dev {
 	import default
 	reverse_proxy localhost:8100
 }
 pb.ny4.dev {
 	import default
 	reverse_proxy localhost:8200
 }
 uptime.ny4.dev {
 	import default
 	reverse_proxy localhost:8300
 }
 ntfy.ny4.dev {
 	import default
 	reverse_proxy localhost:8400
 }
--- a/hosts/lightsail-tokyo/default.nix
+++ b/hosts/lightsail-tokyo/default.nix
@ -43,46 +43,15 @@
  networking.firewall.allowedUDPPorts = [443]; # h3 hysteria -> caddy
  networking.firewall.allowedTCPPorts = [80 443]; # caddy
  systemd.tmpfiles.settings = {
    "10-www" = {
      "/var/www/robots/robots.txt".C.argument = toString ./robots.txt;
    };
  };
  services.caddy = {
    enable = true;
-    configFile = pkgs.writeText "Caddyfile" ''
+    configFile = ./Caddyfile;
      {
        # Disables HTTP/3 for Hysteria
        # https://github.com/apernet/hysteria/issues/768
        servers :443 {
          protocols h1 h2 h2c
        }
      }
      www.ny4.dev {
        redir https://ny4.dev
      }
      ny4.dev {
        encode zstd gzip
        respond "Hello, world!"
      }
      searx.ny4.dev {
        encode zstd gzip
        reverse_proxy localhost:8100
      }
      pb.ny4.dev {
        encode zstd gzip
        reverse_proxy localhost:8200
      }
      uptime.ny4.dev {
        encode zstd gzip
        reverse_proxy localhost:8300
      }
      ntfy.ny4.dev {
        encode zstd gzip
        reverse_proxy localhost:8400
      }
    '';
  };
  services.hysteria = {
--- a/hosts/lightsail-tokyo/robots.txt
+++ b/hosts/lightsail-tokyo/robots.txt
@ -0,0 +1,34 @@
 User-agent: GPTBot
 Disallow: /
 User-agent: ChatGPT-User
 Disallow: /
 User-agent: Google-Extended
 Disallow: /
 User-agent: CCBot
 Disallow: /
 User-agent: Amazonbot
 Disallow: /
 User-agent: FacebookBot
 Disallow: /
 User-agent: anthopic-ai
 Disallow: /
 User-agent: Claude-Web
 Disallow: /
 User-agent: cohere-ai
 Disallow: /
 User-agent: Omgilibot
 Disallow: /
 User-Agent: *
 Disallow: /harming/humans
 Disallow: /ignoring/human/orders
 Disallow: /harm/to/self