diff --git a/flake.lock b/flake.lock index 39bcf0b6..28177bd3 100644 --- a/flake.lock +++ b/flake.lock @@ -153,11 +153,11 @@ "rust-overlay": "rust-overlay" }, "locked": { - "lastModified": 1759155412, - "narHash": "sha256-5JMoXMQt0C1SAHzhHwKLIEZ8/Q8f0vqBGxrMnmuOvJg=", + "lastModified": 1759235653, + "narHash": "sha256-sKFehUxXCzM6E1LcmnRa/O6HKsRI/TGtciG5ulAJt08=", "owner": "chaotic-cx", "repo": "nyx", - "rev": "ae7eac57b8dfc221270bb4f4752a87fe4f17ca11", + "rev": "2bf7f138e42fa8b2133761edab64263505cb83bf", "type": "github" }, "original": { @@ -212,11 +212,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1759128018, - "narHash": "sha256-30KHoIXMgyNQULifR1yQ5Sp0vr4tWpGRJXPOTgEzx1A=", + "lastModified": 1759214609, + "narHash": "sha256-+V3SeMjAMd9j9JTECk9oc0gWhtsk79rFEbYf/tHjywo=", "owner": "nix-community", "repo": "fenix", - "rev": "5c342209226275f704ab84d89efc80b2d3963517", + "rev": "f93a2d7225bc7a93d3379acff8fe722e21d97852", "type": "github" }, "original": { @@ -590,11 +590,11 @@ "rust-overlay": "rust-overlay_2" }, "locked": { - "lastModified": 1758833221, - "narHash": "sha256-c3fpREWUKGonlmV/aesmyRxbJZQypHgXStR7SwdcCo0=", + "lastModified": 1759201995, + "narHash": "sha256-3STv6fITv8Ar/kl0H7vIA7VV0d2gyLh8UL0BOiVacXg=", "owner": "helix-editor", "repo": "helix", - "rev": "109c812233e442addccf1739dec4406248bd3244", + "rev": "bfcbef10c513108c7b43317569416c2eefc4ed44", "type": "github" }, "original": { @@ -610,11 +610,11 @@ ] }, "locked": { - "lastModified": 1759106866, - "narHash": "sha256-GjLvAl7qxGxKtop6ghasxjQ1biTT7pA+WU45byzMl/4=", + "lastModified": 1759236626, + "narHash": "sha256-1BjCUU2csqhR5umGYFnOOTU8r8Bi+bnB2SLsr0FLcws=", "owner": "nix-community", "repo": "home-manager", - "rev": "619ae569293b6427d23cce4854eb4f3c33af3eec", + "rev": "9e0453a9b0c8ef22de0355b731d712707daa6308", "type": "github" }, "original": { @@ -652,11 +652,11 @@ ] }, "locked": { - "lastModified": 1758928860, - "narHash": "sha256-ZqaRdd+KoR54dNJPtd7UX4O0X+02YItnTpQVu28lSVI=", + "lastModified": 1759172751, + "narHash": "sha256-E8W8sRXfrvkFW26GuuiWq6QfReU7m5+cngwHuRo/3jc=", "owner": "nix-community", "repo": "home-manager", - "rev": "bc2afee55bc5d3b825287829d6592b9cc1405aad", + "rev": "12fa8548feefa9a10266ba65152fd1a787cdde8f", "type": "github" }, "original": { @@ -803,11 +803,11 @@ "xdph": "xdph" }, "locked": { - "lastModified": 1759148562, - "narHash": "sha256-kPSevFrZv/zmXy0rVhbZr2nQ4nXmt7lnI2/xqGoIVT4=", + "lastModified": 1759169434, + "narHash": "sha256-1u6kq88ICeE9IiJPditYa248ZoEqo00kz6iUR+jLvBQ=", "owner": "hyprwm", "repo": "hyprland", - "rev": "09596725910aab2a9defed250348aebeee40f842", + "rev": "38c1e72c9d81fcdad8f173e06102a5da18836230", "type": "github" }, "original": { @@ -824,11 +824,11 @@ ] }, "locked": { - "lastModified": 1759123041, - "narHash": "sha256-O3dfYBYhsdjpELmyE1czkQfG2Jzh+pzsKMhPX3QVz80=", + "lastModified": 1759238633, + "narHash": "sha256-4/AtRCQKXuU49ozZZouWuC+T7vCjQh9HAz3N8Tt5OZE=", "owner": "hyprwm", "repo": "contrib", - "rev": "125043bea28e5f988f4e97250213948667a26b1c", + "rev": "513d71d3f42c05d6a38e215382c5a6ce971bd77d", "type": "github" }, "original": { @@ -1626,11 +1626,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1759060464, - "narHash": "sha256-37+iMpZOQ1m9SuOJTBlRK1R0IVPS7e95oQggK82UpLs=", + "lastModified": 1759134797, + "narHash": "sha256-YPi+jL3tx/yC5J5l7/OB7Lnlr9BMTzYnZtm7tRJzUNg=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "5c0b555a65cadc14a6a16865c3e065c9d30b0bef", + "rev": "062ac7a5451e8e92a32e22a60d86882d6a034f3f", "type": "github" }, "original": { @@ -1648,11 +1648,11 @@ ] }, "locked": { - "lastModified": 1758940228, - "narHash": "sha256-sTS04L9LKqzP1oiVXYDwcMzfFSF0DnSJQFzZBpEgLFE=", + "lastModified": 1759113356, + "narHash": "sha256-xm4kEUcV2jk6u15aHazFP4YsMwhq+PczA+Ul/4FDKWI=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "5bfedf3fbbf5caf8e39f7fcd62238f54d82aa1e2", + "rev": "be3b8843a2be2411500f6c052876119485e957a2", "type": "github" }, "original": { @@ -1923,11 +1923,11 @@ ] }, "locked": { - "lastModified": 1759072104, - "narHash": "sha256-2B5RObgBD/ptcC8rO6jI2o+0LWg3iG300wQlBYiyjec=", + "lastModified": 1759180079, + "narHash": "sha256-5hqTGqAKcLEumY3tqOtHK17CA6RkzS1I0EGKfuoyb58=", "ref": "refs/heads/main", - "rev": "8db6527b42469df2ffd888e79fe15151888bdc0f", - "revCount": 134, + "rev": "d4a254b38c7ac2b99931220d767610adfa3a57fe", + "revCount": 135, "type": "git", "url": "https://git.sr.ht/~canasta/zen-browser-flake" }, diff --git a/modules/server/authentik/default.nix b/modules/server/authentik/default.nix index 63980cc8..45895d5d 100644 --- a/modules/server/authentik/default.nix +++ b/modules/server/authentik/default.nix @@ -65,7 +65,7 @@ in { fail2ban = lib.mkIf cfg.enable { jails = { authentik = { - serviceName = "${cfg.url}"; + serviceName = "authentik"; failRegex = "^.*Username or password is incorrect. Try again. IP: . Username: .*.$"; }; }; diff --git a/modules/server/www/default.nix b/modules/server/www/default.nix index fc1737a6..45f6f420 100644 --- a/modules/server/www/default.nix +++ b/modules/server/www/default.nix @@ -44,9 +44,11 @@ in { server = { fail2ban = lib.mkIf config.server.www.enable { jails = { - www = { - serviceName = "cnst.dev"; - failRegex = "^.*Username or password is incorrect. Try again. IP: . Username: .*.$"; + nginx-404 = { + serviceName = "nginx"; + failRegex = ''^.*\[error\].*directory index of.* is forbidden.*client: .*$''; + ignoreRegex = ""; + maxRetry = 5; }; }; }; @@ -64,14 +66,23 @@ in { virtualHosts."webfinger" = { forceSSL = false; serverName = cfg.url; - root = "/etc/webfinger"; + root = "/var/www/webfinger"; + locations."= /.well-known/webfinger" = { - root = "/etc/webfinger"; + root = "/var/www/webfinger"; extraConfig = '' default_type application/jrd+json; try_files /.well-known/webfinger =404; ''; }; + + locations."= /robots.txt" = { + root = "/var/www/webfinger"; + extraConfig = '' + default_type text/plain; + try_files /robots.txt =404; + ''; + }; }; }; @@ -85,17 +96,24 @@ in { }; }; - environment.etc."webfinger/.well-known/webfinger".text = '' - { - "subject": "acct:adam@${cfg.url}", - "links": [ - { - "rel": "http://openid.net/specs/connect/1.0/issuer", - "href": "https://auth.${cfg.url}/application/o/tailscale/" - } - ] - } - ''; + environment.etc = { + "webfinger/.well-known/webfinger".text = '' + { + "subject": "acct:adam@${cfg.url}", + "links": [ + { + "rel": "http://openid.net/specs/connect/1.0/issuer", + "href": "https://auth.${cfg.url}/application/o/tailscale/" + } + ] + } + ''; + + "webfinger/robots.txt".text = '' + User-agent: * + Disallow: / + ''; + }; services.traefik.dynamicConfigOptions.http = { routers.webfinger = {