feat(authentik): fixing some fail2ban things

2025-10-02 05:45:35 +02:00
parent 923c810972
commit 67e83e3e4e
2 changed files with 7 additions and 3 deletions
--- a/hosts/sobotka/modules.nix
+++ b/hosts/sobotka/modules.nix
@@ -214,7 +214,7 @@
        flags = "--performance";
      };
      tailscale = {
-        enable = true;
+        enable = false;
      };
      udisks = {
        enable = true;
--- a/modules/server/authentik/default.nix
+++ b/modules/server/authentik/default.nix
@@ -54,10 +54,14 @@ in {
      authentikEnv = {
        file = "${self}/secrets/authentikEnv.age";
        owner = "authentik";
+        group = "authentik";
+        mode = "0400";
      };
      authentikCloudflared = {
        file = "${self}/secrets/authentikCloudflared.age";
        owner = "authentik";
+        group = "authentik";
+        mode = "0400";
      };
    };

@@ -66,7 +70,7 @@ in {
        jails = {
          authentik = {
            serviceName = "authentik";
-            failregex = ^.*Username or password is incorrect.*IP:\s*<HOST>
+            failRegex = "^.*Username or password is incorrect.*IP:\s*<HOST>";
          };
        };
      };
@@ -99,7 +103,7 @@ in {
            middlewares = {
              authentik = {
                forwardAuth = {
-                  tls.insecureSkipVerify = true;
+                  # tls.insecureSkipVerify = true;
                  address = "https://localhost:9443/outpost.goauthentik.io/auth/traefik";
                  trustForwardHeader = true;
                  authResponseHeaders = [