all the broken

feat(authentik): fixing some fail2ban things
2025-10-04 20:35:06 +02:00 · 2025-10-02 05:45:35 +02:00 · 2025-10-01 18:00:55 +02:00 · 2025-09-30 18:16:49 +02:00
22 changed files with 507 additions and 383 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -114,11 +114,11 @@
        "uv2nix": "uv2nix"
      },
      "locked": {
-        "lastModified": 1758177015,
+        "lastModified": 1759322529,
-        "narHash": "sha256-PCUWdbaxayY3YfSjVlyddBMYoGvSaRysd5AmZ8gqSFs=",
+        "narHash": "sha256-yiv/g/tiJI3PI95F7vhTnaf1TDsIkFLrmmFTjWfb6pQ=",
        "owner": "nix-community",
        "repo": "authentik-nix",
-        "rev": "4c626ed84cc0f1278bfba0f534efd6cba2788d75",
+        "rev": "69fac057b2e553ee17c9a09b822d735823d65a6c",
        "type": "github"
      },
      "original": {
@@ -130,16 +130,16 @@
    "authentik-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1758035356,
+        "lastModified": 1759190535,
-        "narHash": "sha256-DkvxDwHCfSqEpZ9rRXNR8MP0Mz/y1kHAr38exrHQ39c=",
+        "narHash": "sha256-pIzDaoDWc58cY/XhsyweCwc4dfRvkaT/zqsV1gDSnCI=",
        "owner": "goauthentik",
        "repo": "authentik",
-        "rev": "680feaefa17934471a6b33ebc35caf5b64120404",
+        "rev": "8d3a289d12c7de2f244c76493af7880f70d08af2",
        "type": "github"
      },
      "original": {
        "owner": "goauthentik",
-        "ref": "version/2025.8.3",
+        "ref": "version/2025.8.4",
        "repo": "authentik",
        "type": "github"
      }
@@ -153,11 +153,11 @@
        "rust-overlay": "rust-overlay"
      },
      "locked": {
-        "lastModified": 1759155412,
+        "lastModified": 1759348172,
-        "narHash": "sha256-5JMoXMQt0C1SAHzhHwKLIEZ8/Q8f0vqBGxrMnmuOvJg=",
+        "narHash": "sha256-ZPUJX2ZA0ndcHndIA/S/nRESIJV0rifPr91SUpzJtEM=",
        "owner": "chaotic-cx",
        "repo": "nyx",
-        "rev": "ae7eac57b8dfc221270bb4f4752a87fe4f17ca11",
+        "rev": "dd1af56ad79c965ee20c236ba6adbb2135ac02af",
        "type": "github"
      },
      "original": {
@@ -212,11 +212,11 @@
        "rust-analyzer-src": "rust-analyzer-src"
      },
      "locked": {
-        "lastModified": 1759128018,
+        "lastModified": 1759473677,
-        "narHash": "sha256-30KHoIXMgyNQULifR1yQ5Sp0vr4tWpGRJXPOTgEzx1A=",
+        "narHash": "sha256-9AFDP5AhXe06aXXPsV7bDGH7KA9Wo4uUtK7pRrsxuFQ=",
        "owner": "nix-community",
        "repo": "fenix",
-        "rev": "5c342209226275f704ab84d89efc80b2d3963517",
+        "rev": "8532b07ced6a95d57650124c79534a3c770431ab",
        "type": "github"
      },
      "original": {
@@ -332,11 +332,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1756770412,
+        "lastModified": 1759362264,
-        "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=",
+        "narHash": "sha256-wfG0S7pltlYyZTM+qqlhJ7GMw2fTF4mLKCIVhLii/4M=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "4524271976b625a4a605beefd893f270620fd751",
+        "rev": "758cf7296bee11f1706a574c77d072b8a7baa881",
        "type": "github"
      },
      "original": {
@@ -392,11 +392,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1756770412,
+        "lastModified": 1759362264,
-        "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=",
+        "narHash": "sha256-wfG0S7pltlYyZTM+qqlhJ7GMw2fTF4mLKCIVhLii/4M=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "4524271976b625a4a605beefd893f270620fd751",
+        "rev": "758cf7296bee11f1706a574c77d072b8a7baa881",
        "type": "github"
      },
      "original": {
@@ -571,11 +571,11 @@
    },
    "hardware": {
      "locked": {
-        "lastModified": 1758663926,
+        "lastModified": 1759261527,
-        "narHash": "sha256-6CFdj7Xs616t1W4jLDH7IohAAvl5Dyib3qEv/Uqw1rk=",
+        "narHash": "sha256-wPd5oGvBBpUEzMF0kWnXge0WITNsITx/aGI9qLHgJ4g=",
        "owner": "nixos",
        "repo": "nixos-hardware",
-        "rev": "170ff93c860b2a9868ed1e1102d4e52cb3d934e1",
+        "rev": "e087756cf4abbe1a34f3544c480fc1034d68742f",
        "type": "github"
      },
      "original": {
@@ -590,11 +590,11 @@
        "rust-overlay": "rust-overlay_2"
      },
      "locked": {
-        "lastModified": 1758833221,
+        "lastModified": 1759201995,
-        "narHash": "sha256-c3fpREWUKGonlmV/aesmyRxbJZQypHgXStR7SwdcCo0=",
+        "narHash": "sha256-3STv6fITv8Ar/kl0H7vIA7VV0d2gyLh8UL0BOiVacXg=",
        "owner": "helix-editor",
        "repo": "helix",
-        "rev": "109c812233e442addccf1739dec4406248bd3244",
+        "rev": "bfcbef10c513108c7b43317569416c2eefc4ed44",
        "type": "github"
      },
      "original": {
@@ -610,11 +610,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1759106866,
+        "lastModified": 1759337100,
-        "narHash": "sha256-GjLvAl7qxGxKtop6ghasxjQ1biTT7pA+WU45byzMl/4=",
+        "narHash": "sha256-CcT3QvZ74NGfM+lSOILcCEeU+SnqXRvl1XCRHenZ0Us=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "619ae569293b6427d23cce4854eb4f3c33af3eec",
+        "rev": "004753ae6b04c4b18aa07192c1106800aaacf6c3",
        "type": "github"
      },
      "original": {
@@ -652,11 +652,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1758928860,
+        "lastModified": 1759261733,
-        "narHash": "sha256-ZqaRdd+KoR54dNJPtd7UX4O0X+02YItnTpQVu28lSVI=",
+        "narHash": "sha256-G104PUPKBgJmcu4NWs0LUaPpSOTD4jiq4mamLWu3Oc0=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "bc2afee55bc5d3b825287829d6592b9cc1405aad",
+        "rev": "5a21f4819ee1be645f46d6b255d49f4271ef6723",
        "type": "github"
      },
      "original": {
@@ -803,11 +803,11 @@
        "xdph": "xdph"
      },
      "locked": {
-        "lastModified": 1759148562,
+        "lastModified": 1759399554,
-        "narHash": "sha256-kPSevFrZv/zmXy0rVhbZr2nQ4nXmt7lnI2/xqGoIVT4=",
+        "narHash": "sha256-FsFugHj7He5siEcmoRUdMKHB8uMzyneK/fynPS57W4E=",
        "owner": "hyprwm",
        "repo": "hyprland",
-        "rev": "09596725910aab2a9defed250348aebeee40f842",
+        "rev": "3bcfa94ee4189faaa4daf661949e88cf28c00d94",
        "type": "github"
      },
      "original": {
@@ -824,11 +824,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1759123041,
+        "lastModified": 1759238633,
-        "narHash": "sha256-O3dfYBYhsdjpELmyE1czkQfG2Jzh+pzsKMhPX3QVz80=",
+        "narHash": "sha256-4/AtRCQKXuU49ozZZouWuC+T7vCjQh9HAz3N8Tt5OZE=",
        "owner": "hyprwm",
        "repo": "contrib",
-        "rev": "125043bea28e5f988f4e97250213948667a26b1c",
+        "rev": "513d71d3f42c05d6a38e215382c5a6ce971bd77d",
        "type": "github"
      },
      "original": {
@@ -1006,11 +1006,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1758124489,
+        "lastModified": 1759492718,
-        "narHash": "sha256-YiVF/8Me3vVKJBEgGpQhn0HF09EWfXZGaWLzAaJBrO4=",
+        "narHash": "sha256-Mxi/LyyHE9VKUnBs4y1hXO+wRqukZJjbx/igqKQxkQk=",
        "owner": "hyprwm",
        "repo": "hyprlock",
-        "rev": "7f769fa993cb492982d7bf25676c68ddbcc0268e",
+        "rev": "3cb799b1842016c85cca2db66fa502b8179cf0fe",
        "type": "github"
      },
      "original": {
@@ -1191,11 +1191,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1757230583,
+        "lastModified": 1759217228,
-        "narHash": "sha256-4uqu7sFPOaVTCogsxaGMgbzZ2vK40GVGMfUmrvK3/LY=",
+        "narHash": "sha256-P13ExJlhMVkrc5LxZLNkIJZhjNYo3LLXnxDsUNrdnMQ=",
        "owner": "Jovian-Experiments",
        "repo": "Jovian-NixOS",
-        "rev": "fc3960e6c32c9d4f95fff2ef84444284d24d3bea",
+        "rev": "e52c15ab25f7dc68dde527c8df5bfa9d80d8e64f",
        "type": "github"
      },
      "original": {
@@ -1229,11 +1229,11 @@
    },
    "mnw": {
      "locked": {
-        "lastModified": 1756659871,
+        "lastModified": 1758834834,
-        "narHash": "sha256-v6Rh4aQ6RKjM2N02kK9Usn0Ix7+OY66vNpeklc1MnGE=",
+        "narHash": "sha256-Y7IvY4F8vajZyp3WGf+KaiIVwondEkMFkt92Cr9NZmg=",
        "owner": "Gerg-L",
        "repo": "mnw",
-        "rev": "ed6cc3e48557ba18266e598a5ebb6602499ada16",
+        "rev": "cfbc7d1cc832e318d0863a5fc91d940a96034001",
        "type": "github"
      },
      "original": {
@@ -1278,11 +1278,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1759110900,
+        "lastModified": 1759455985,
-        "narHash": "sha256-fcu/r0ijvaYT2VHGkZGr0wq9uBMNFkiftVBy43/2oig=",
+        "narHash": "sha256-8qDv7NXH3fj1CDXed7c7vJLtrRKDZSo0x6TaWSfelVg=",
        "owner": "fufexan",
        "repo": "nix-gaming",
-        "rev": "2ac6a49266e9159ccb001b4c8cb1f50f67d502ae",
+        "rev": "eb5ab503cbd3cb386e8d85a55a9faed73ec7dc37",
        "type": "github"
      },
      "original": {
@@ -1443,11 +1443,11 @@
    },
    "nixpkgs_8": {
      "locked": {
-        "lastModified": 1759036355,
+        "lastModified": 1759381078,
-        "narHash": "sha256-0m27AKv6ka+q270dw48KflE0LwQYrO7Fm4/2//KCVWg=",
+        "narHash": "sha256-gTrEEp5gEspIcCOx9PD8kMaF1iEmfBcTbO0Jag2QhQs=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "e9f00bd893984bc8ce46c895c3bf7cac95331127",
+        "rev": "7df7ff7d8e00218376575f0acdcc5d66741351ee",
        "type": "github"
      },
      "original": {
@@ -1459,11 +1459,11 @@
    },
    "nixpkgs_9": {
      "locked": {
-        "lastModified": 1756696532,
+        "lastModified": 1759386674,
-        "narHash": "sha256-6FWagzm0b7I/IGigOv9pr6LL7NQ86mextfE8g8Q6HBg=",
+        "narHash": "sha256-wg1Lz/1FC5Q13R+mM5a2oTV9TA9L/CHHTm3/PiLayfA=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "58dcbf1ec551914c3756c267b8b9c8c86baa1b2f",
+        "rev": "625ad6366178f03acd79f9e3822606dd7985b657",
        "type": "github"
      },
      "original": {
@@ -1482,11 +1482,11 @@
        "systems": "systems_5"
      },
      "locked": {
-        "lastModified": 1758271661,
+        "lastModified": 1759469269,
-        "narHash": "sha256-ENqd2/33uP5vB44ClDjjAV+J78oF8q1er4QUZuT8Z7g=",
+        "narHash": "sha256-DP833ejGUNRRHsJOB3WRTaWWXLNucaDga2ju/fGe+sc=",
        "owner": "notashelf",
        "repo": "nvf",
-        "rev": "b7571df4d6e9ac08506a738ddceeec0b141751b0",
+        "rev": "e48638aef3a95377689de0ef940443c64f870a09",
        "type": "github"
      },
      "original": {
@@ -1626,11 +1626,11 @@
    "rust-analyzer-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1759060464,
+        "lastModified": 1759301569,
-        "narHash": "sha256-37+iMpZOQ1m9SuOJTBlRK1R0IVPS7e95oQggK82UpLs=",
+        "narHash": "sha256-7StxDed3v2fAWLkl+Hse9FlpjT7Dk7Cn/4vxTFyEhIg=",
        "owner": "rust-lang",
        "repo": "rust-analyzer",
-        "rev": "5c0b555a65cadc14a6a16865c3e065c9d30b0bef",
+        "rev": "472037b789cf593172d6adf3b8d9f7a429f6cd9b",
        "type": "github"
      },
      "original": {
@@ -1648,11 +1648,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1758940228,
+        "lastModified": 1759286284,
-        "narHash": "sha256-sTS04L9LKqzP1oiVXYDwcMzfFSF0DnSJQFzZBpEgLFE=",
+        "narHash": "sha256-JLdGGc4XDutzSD1L65Ni6Ye+oTm8kWfm0KTPMcyl7Y4=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "5bfedf3fbbf5caf8e39f7fcd62238f54d82aa1e2",
+        "rev": "f6f2da475176bb7cff51faae8b3fe879cd393545",
        "type": "github"
      },
      "original": {
@@ -1923,11 +1923,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1759072104,
+        "lastModified": 1759180079,
-        "narHash": "sha256-2B5RObgBD/ptcC8rO6jI2o+0LWg3iG300wQlBYiyjec=",
+        "narHash": "sha256-5hqTGqAKcLEumY3tqOtHK17CA6RkzS1I0EGKfuoyb58=",
        "ref": "refs/heads/main",
-        "rev": "8db6527b42469df2ffd888e79fe15151888bdc0f",
+        "rev": "d4a254b38c7ac2b99931220d767610adfa3a57fe",
-        "revCount": 134,
+        "revCount": 135,
        "type": "git",
        "url": "https://git.sr.ht/~canasta/zen-browser-flake"
      },
--- a/hosts/sobotka/modules.nix
+++ b/hosts/sobotka/modules.nix
@@ -214,7 +214,7 @@
        flags = "--performance";
      };
      tailscale = {
-        enable = true;
+        enable = false;
      };
      udisks = {
        enable = true;
--- a/hosts/sobotka/server.nix
+++ b/hosts/sobotka/server.nix
@@ -8,7 +8,7 @@
    uid = 994;
    gid = 993;
-    traefik = {
+    nginx = {
      enable = true;
    };
    gitea = {
@@ -42,7 +42,11 @@
      enable = true;
    };
    jellyfin = {
-      enable = true;
+      enable = false;
      cloudflared = {
        tunnelId = "234811e2-bc86-44b2-9abd-493686e25704";
        credentialsFile = config.age.secrets.jellyfinCloudflared.path;
      };
    };
    uptime-kuma = {
      enable = true;
@@ -56,7 +60,7 @@
      };
    };
    www = {
-      enable = true;
+      enable = false;
      url = "cnst.dev";
      cloudflared = {
        tunnelId = "e5076186-efb7-405a-998c-6155af7fb221";
@@ -88,14 +92,14 @@
      enable = true;
      gluetun.enable = true;
      qbittorrent = {
-        enable = true;
+        enable = false;
-        port = 8080;
+        port = 8387;
      };
      slskd = {
        enable = true;
      };
      pihole = {
-        enable = true;
+        enable = false;
        port = 8053;
      };
    };
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -141,7 +141,7 @@
        ./server/keepalived
        ./server/gitea
        ./server/postgres
-        ./server/traefik
+        ./server/nginx
        ./server/www
        ./server/authentik
      ];
--- a/modules/nixos/programs/pkgs/default.nix
+++ b/modules/nixos/programs/pkgs/default.nix
@@ -3,17 +3,16 @@
  config,
  lib,
  ...
-}:
+}: let
-let
+  inherit
-  inherit (lib)
+    (lib)
    mkIf
    mkOption
    mkMerge
    types
    ;
  cfg = config.nixos.programs.pkgs;
-in
+in {
 {
  options = {
    nixos.programs.pkgs = {
      enable = mkOption {
@@ -51,8 +50,7 @@ in
  };
  config = mkIf cfg.enable {
-    environment.systemPackages =
+    environment.systemPackages = with pkgs;
      with pkgs;
      mkMerge [
        [
          pciutils
@@ -114,6 +112,8 @@ in
          helix
          zfs
          zfstools
          cron
          acme-sh
        ])
        (mkIf cfg.dev.enable [
--- a/modules/nixos/services/agenix/default.nix
+++ b/modules/nixos/services/agenix/default.nix
@@ -70,7 +70,7 @@ in {
        secrets = {
          cloudflareFirewallApiKey.file = "${self}/secrets/cloudflareFirewallApiKey.age";
          cloudflareDnsApiToken.file = "${self}/secrets/cloudflareDnsApiToken.age";
-          cloudflareDnsCredentials.file = "${self}/secrets/cloudflareDnsCredentials.age";
+          # cloudflareDnsCredentials.file = "${self}/secrets/cloudflareDnsCredentials.age";
          wgCredentials.file = "${self}/secrets/wgCredentials.age";
          wgSobotkaPrivateKey.file = "${self}/secrets/wgSobotkaPrivateKey.age";
          gluetunEnvironment.file = "${self}/secrets/gluetunEnvironment.age";
--- a/modules/server/authentik/default.nix
+++ b/modules/server/authentik/default.nix
@@ -53,11 +53,9 @@ in {
    age.secrets = {
      authentikEnv = {
        file = "${self}/secrets/authentikEnv.age";
        owner = "authentik";
      };
      authentikCloudflared = {
        file = "${self}/secrets/authentikCloudflared.age";
        owner = "authentik";
      };
    };
@@ -65,8 +63,8 @@ in {
      fail2ban = lib.mkIf cfg.enable {
        jails = {
          authentik = {
-            serviceName = "${cfg.url}";
+            serviceName = "authentik";
-            failRegex = "^.*Username or password is incorrect. Try again. IP: <HOST>. Username: <F-USER>.*</F-USER>.$";
+            failRegex = "^.*Username or password is incorrect.*IP:\s*<HOST>";
          };
        };
      };
@@ -99,22 +97,16 @@ in {
            middlewares = {
              authentik = {
                forwardAuth = {
-                  tls.insecureSkipVerify = true;
+                  # tls.insecureSkipVerify = true;
                  address = "https://localhost:9443/outpost.goauthentik.io/auth/traefik";
                  trustForwardHeader = true;
                  authResponseHeaders = [
                    "X-authentik-username"
                    "X-authentik-groups"
                    "X-authentik-email"
                    "X-authentik-name"
                    "X-authentik-uid"
                    "X-authentik-jwt"
                    "X-authentik-meta-jwks"
                    "X-authentik-meta-outpost"
                    "X-authentik-meta-provider"
                    "X-authentik-meta-app"
                    "X-authentik-meta-version"
                  ];
                  timeout = "10s";
                };
              };
            };
--- a/modules/server/default.nix
+++ b/modules/server/default.nix
@@ -17,14 +17,14 @@ in {
      default = "";
      type = types.str;
      description = ''
-        Email name to be used to access the server services via Caddy reverse proxy
+        Email name to be used to access the server services via NGINX reverse proxy
      '';
    };
    domain = mkOption {
      default = "";
      type = types.str;
      description = ''
-        Domain name to be used to access the server services via Caddy reverse proxy
+        Domain name to be used to access the server services via NGINX reverse proxy
      '';
    };
    user = lib.mkOption {
@@ -65,6 +65,11 @@ in {
  };
  config = lib.mkIf cfg.enable {
    _module.args = {
      myLib = import ./lib.nix {
        inherit lib config pkgs;
      };
    };
    users = {
      groups.${cfg.group} = {
        gid = cfg.gid;
@@ -93,7 +98,7 @@ in {
          "render"
          "input"
          "authentik"
-          "traefik"
+          "nginx"
        ];
      };
    };
--- a/modules/server/fail2ban/default.nix
+++ b/modules/server/fail2ban/default.nix
@@ -4,11 +4,9 @@
  config,
  pkgs,
  ...
-}:
+}: let
 let
  cfg = config.server.fail2ban;
-in
+in {
 {
  options.server.fail2ban = {
    enable = lib.mkEnableOption {
      description = "Enable cloudflare fail2ban";
@@ -17,7 +15,7 @@ in
      description = "File containing your API key, scoped to Firewall Rules: Edit";
      type = lib.types.str;
      example = lib.literalExpression ''
-        Authorization: Bearer Qj06My1wXJEzcW46QCyjFbSMgVtwIGfX63Ki3NOj79o=
+        Authorization: Bearer vH6-p0y=i4w3n7TjKqZ@x8D_lR!A9b2cOezXgUuJdE5F
        '''
      '';
    };
@@ -57,54 +55,54 @@ in
        pkgs.jq
      ];
-      jails = lib.attrsets.mapAttrs (name: value: {
+      jails =
-        settings = {
+        lib.attrsets.mapAttrs (name: value: {
-          bantime = "30d";
+          settings = {
-          findtime = "1h";
+            bantime = "168h";
-          enabled = true;
+            findtime = "30m";
-          backend = "systemd";
+            enabled = true;
-          journalmatch = "_SYSTEMD_UNIT=${value.serviceName}.service";
+            backend = "systemd";
-          port = "http,https";
+            journalmatch = "_SYSTEMD_UNIT=${value.serviceName}.service";
-          filter = "${name}";
+            port = "http,https";
-          maxretry = 3;
+            filter = "${name}";
-          action = "cloudflare-token-agenix";
+            maxretry = value.maxRetry or 5;
-        };
+            action = "cloudflare-token-agenix";
-      }) cfg.jails;
+          };
        })
        cfg.jails;
    };
    environment.etc = lib.attrsets.mergeAttrsList [
      (lib.attrsets.mapAttrs' (
-        name: value:
+          name: value: (lib.nameValuePair "fail2ban/filter.d/${name}.conf" {
-        (lib.nameValuePair "fail2ban/filter.d/${name}.conf" {
+            text = ''
-          text = ''
+              [Definition]
-            [Definition]
+              failregex = ${value.failRegex}
-            failregex = ${value.failRegex}
+              ignoreregex = ${value.ignoreRegex}
-            ignoreregex = ${value.ignoreRegex}
+            '';
-          '';
+          })
-        })
+        )
-      ) cfg.jails)
+        cfg.jails)
      {
-        "fail2ban/action.d/cloudflare-token-agenix.conf".text =
+        "fail2ban/action.d/cloudflare-token-agenix.conf".text = let
-          let
+          notes = "Fail2Ban on ${config.networking.hostName}";
-            notes = "Fail2Ban on ${config.networking.hostName}";
+          cfapi = "https://api.cloudflare.com/client/v4/zones/${cfg.zoneId}/firewall/access_rules/rules";
-            cfapi = "https://api.cloudflare.com/client/v4/zones/${cfg.zoneId}/firewall/access_rules/rules";
+        in ''
-          in
+          [Definition]
-          ''
+          actionstart =
-            [Definition]
+          actionstop =
-            actionstart =
+          actioncheck =
-            actionstop =
+          actionunban = id=$(curl -s -X GET "${cfapi}" \
-            actioncheck =
+              -H @${cfg.apiKeyFile} -H "Content-Type: application/json" \
-            actionunban = id=$(curl -s -X GET "${cfapi}" \
+                  | jq -r '.result[] | select(.notes == "${notes}" and .configuration.target == "ip" and .configuration.value == "<ip>") | .id')
-                -H @${cfg.apiKeyFile} -H "Content-Type: application/json" \
+              if [ -z "$id" ]; then echo "id for <ip> cannot be found"; exit 0; fi; \
-                    | jq -r '.result[] | select(.notes == "${notes}" and .configuration.target == "ip" and .configuration.value == "<ip>") | .id')
+              curl -s -X DELETE "${cfapi}/$id" \
-                if [ -z "$id" ]; then echo "id for <ip> cannot be found"; exit 0; fi; \
+                  -H @${cfg.apiKeyFile} -H "Content-Type: application/json" \
-                curl -s -X DELETE "${cfapi}/$id" \
+                  --data '{"cascade": "none"}'
-                    -H @${cfg.apiKeyFile} -H "Content-Type: application/json" \
+          actionban = curl -X POST "${cfapi}" -H @${cfg.apiKeyFile} -H "Content-Type: application/json" --data '{"mode":"block","configuration":{"target":"ip","value":"<ip>"},"notes":"${notes}"}'
-                    --data '{"cascade": "none"}'
+          [Init]
-            actionban = curl -X POST "${cfapi}" -H @${cfg.apiKeyFile} -H "Content-Type: application/json" --data '{"mode":"block","configuration":{"target":"ip","value":"<ip>"},"notes":"${notes}"}'
+          name = cloudflare-token-agenix
-            [Init]
+        '';
            name = cloudflare-token-agenix
          '';
      }
    ];
  };
--- a/modules/server/gitea/default.nix
+++ b/modules/server/gitea/default.nix
@@ -99,23 +99,6 @@ in {
      };
    };
    services.traefik = {
      dynamicConfigOptions = {
        http = {
          services.gitea.loadBalancer.servers = [{url = "http://127.0.0.1:5003";}];
          routers = {
            gitea = {
              entryPoints = ["websecure"];
              rule = "Host(`${cfg.url}`)";
              service = "gitea";
              tls.certResolver = "letsencrypt";
              # middlewares = ["authentik"];
            };
          };
        };
      };
    };
    server.postgresql.databases = [
      {
        database = "gitea";
--- a/modules/server/homepage-dashboard/default.nix
+++ b/modules/server/homepage-dashboard/default.nix
@@ -212,25 +212,6 @@ in {
            }
          ];
      };
      traefik = {
        dynamicConfigOptions = {
          http = {
            services.homepage.loadBalancer.servers = [
              {url = "http://127.0.0.1:${toString config.services.${unit}.listenPort}";}
            ];
            routers = {
              homepage = {
                entryPoints = ["websecure"];
                rule = "Host(`cnix.dev`)";
                service = "homepage";
                tls.certResolver = "letsencrypt";
                # middlewares = ["authentik"];
              };
            };
          };
        };
      };
    };
  };
 }
--- a/modules/server/jellyfin/default.nix
+++ b/modules/server/jellyfin/default.nix
@@ -2,23 +2,38 @@
  config,
  lib,
  pkgs,
  self,
  ...
 }: let
-  service = "jellyfin";
+  unit = "jellyfin";
-  cfg = config.server.${service};
+  cfg = config.server.${unit};
  srv = config.server;
 in {
-  options.server.${service} = {
+  options.server.${unit} = {
    enable = lib.mkEnableOption {
-      description = "Enable ${service}";
+      description = "Enable ${unit}";
    };
    configDir = lib.mkOption {
      type = lib.types.str;
-      default = "/var/lib/${service}";
+      default = "/var/lib/${unit}";
    };
    url = lib.mkOption {
      type = lib.types.str;
-      default = "jellyfin.${srv.domain}";
+      default = "jellyfin.${srv.www.url}";
    };
    cloudflared = {
      credentialsFile = lib.mkOption {
        type = lib.types.str;
        example = lib.literalExpression ''
          pkgs.writeText "cloudflare-credentials.json" '''
          {"AccountTag":"secret"."TunnelSecret":"secret","TunnelID":"secret"}
          '''
        '';
      };
      tunnelId = lib.mkOption {
        type = lib.types.str;
        example = "00000000-0000-0000-0000-000000000000";
      };
    };
    homepage.name = lib.mkOption {
      type = lib.types.str;
@@ -38,17 +53,62 @@ in {
    };
  };
  config = lib.mkIf cfg.enable {
-    services.${service} = {
+    age.secrets = {
-      enable = true;
+      jellyfinCloudflared = {
-      user = srv.user;
+        file = "${self}/secrets/jellyfinCloudflared.age";
-      group = srv.group;
+        owner = "${srv.user}";
        group = "${srv.group}";
        mode = "0400";
      };
    };
    services = {
      cloudflared = {
        enable = true;
        tunnels.${cfg.cloudflared.tunnelId} = {
          credentialsFile = cfg.cloudflared.credentialsFile;
          default = "http_status:404";
          ingress."${cfg.url}".service = "http://127.0.0.1:8096";
        };
      };
      ${unit} = {
        enable = true;
        user = srv.user;
        group = srv.group;
      };
    };
    environment.systemPackages = with pkgs; [
      jellyfin-ffmpeg
    ];
    services.traefik = {
      dynamicConfigOptions = {
        http = {
          middlewares = {
            secureHeaders = {
              headers = {
                stsSeconds = 31536000;
                forceSTSHeader = true;
                stsIncludeSubdomains = true;
                stsPreload = true;
                browserXssFilter = true;
                frameDeny = true;
                referrerPolicy = "no-referrer";
                contentTypeNosniff = true;
                customResponseHeaders = {
                  "Content-Security-Policy" = "default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';";
                };
              };
            };
            ratelimit = {
              rateLimit = {
                average = 10;
                burst = 20;
              };
            };
          };
          services.jellyfin.loadBalancer.servers = [{url = "http://127.0.0.1:8096";}];
          routers = {
            jellyfin = {
@@ -56,7 +116,7 @@ in {
              rule = "Host(`${cfg.url}`)";
              service = "jellyfin";
              tls.certResolver = "letsencrypt";
-              # middlewares = ["authentik"];
+              middlewares = ["authentik" "secureHeaders" "ratelimit"];
            };
          };
        };
--- a/modules/server/lib.nix
+++ b/modules/server/lib.nix
@@ -0,0 +1,148 @@
 # from @jtojnar
 {
  config,
  lib,
  pkgs,
  ...
 }: {
  mkVirtualHost = {
    path ? null,
    config ? "",
    acme ? null,
    redirect ? null,
    ...
  } @ args:
    (
      if lib.isString acme
      then {
        useACMEHost = acme;
        forceSSL = true;
      }
      else {}
    )
    // (
      if lib.isBool acme
      then {
        enableACME = acme;
        forceSSL = true;
      }
      else {}
    )
    // (
      if redirect != null
      then {
        globalRedirect = redirect;
      }
      else {}
    )
    // (
      if path != null
      then {
        root = "/var/www/" + path;
      }
      else {}
    )
    // {
      extraConfig = config;
    }
    // builtins.removeAttrs args [
      "path"
      "config"
      "acme"
      "redirect"
    ];
  mkPhpPool = {
    user,
    debug ? false,
    settings ? {},
    ...
  } @ args:
    {
      inherit user;
      settings =
        {
          "listen.owner" = "nginx";
          "listen.group" = "root";
          "pm" = "dynamic";
          "pm.max_children" = 5;
          "pm.start_servers" = 2;
          "pm.min_spare_servers" = 1;
          "pm.max_spare_servers" = 3;
        }
        // (
          lib.optionalAttrs debug {
            # log worker's stdout, but this has a performance hit
            "catch_workers_output" = true;
          }
          // settings
        );
    }
    // builtins.removeAttrs args [
      "user"
      "debug"
      "settings"
    ];
  enablePHP = sockName: ''
    fastcgi_pass unix:${config.services.phpfpm.pools.${sockName}.socket};
    include ${config.services.nginx.package}/conf/fastcgi.conf;
    fastcgi_param PATH_INFO $fastcgi_path_info;
    fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
  '';
  /*
  Adds extra options to ssh key that will only allow it to be used for rsync.
  See sshd(8) manual page for details.
  */
  restrictToRsync = directory: key: ''command="${pkgs.rrsync}/bin/rrsync -wo ${directory}",restrict ${key}'';
  /*
  Emulate systemd credentials.
  Those will only be available to the user the service is running under,
  not being aware of dropped euid.
  http://systemd.io/CREDENTIALS/
  */
  emulateCredentials = let
    parseCredential = credential: let
      matches = builtins.match "(.+):(.+)" credential;
    in
      assert lib.assertMsg (matches != null) "A credential needs to match “id:value” format"; {
        id = builtins.elemAt matches 0;
        value = builtins.elemAt matches 1;
      };
    parseCredentials = credentials:
      builtins.map parseCredential (
        if builtins.isList credentials
        then credentials
        else lib.splitString "," credentials
      );
  in
    serviceConfig:
      lib.mkMerge [
        (builtins.removeAttrs serviceConfig [
          "SetCredential"
          "LoadCredential"
        ])
        {
          Environment = [
            "CREDENTIALS_DIRECTORY=${
              pkgs.runCommand "credentials" {} ''
                mkdir "$out"
                ${lib.concatMapStringsSep "\n" ({
                  id,
                  value,
                }: ''ln -s "${value}" "$out/${id}"'') (
                  parseCredentials serviceConfig.LoadCredential or []
                )}
                ${lib.concatMapStringsSep "\n" ({
                  id,
                  value,
                }: ''echo -n "${value}" > "$out/${id}"'') (
                  parseCredentials serviceConfig.SetCredential or []
                )}
              ''
            }"
          ];
        }
      ];
 }
--- a/modules/server/nginx/default.nix
+++ b/modules/server/nginx/default.nix
@@ -0,0 +1,79 @@
 {
  lib,
  config,
  pkgs,
  self,
  myLib,
  ...
 }: let
  inherit (myLib) mkVirtualHost;
  inherit (lib) mkEnableOption mkIf types;
  unit = "nginx";
  cfg = config.server.nginx;
  srv = config.server;
 in {
  options.server.nginx = {
    enable = mkEnableOption "Enable global NGINX reverse proxy with ACME";
  };
  config = mkIf cfg.enable {
    age.secrets = {
      nginxEnv = {
        file = "${self}/secrets/nginxEnv.age";
      };
    };
    networking.firewall.allowedTCPPorts = [80 443];
    security = {
      acme = {
        acceptTerms = true;
        defaults.email = config.server.email;
        certs.${srv.domain} = {
          reloadServices = ["nginx.service"];
          domain = "${srv.domain}";
          extraDomainNames = ["*.${srv.domain}"];
          dnsProvider = "cloudflare";
          dnsPropagationCheck = true;
          group = config.services.nginx.group;
          environmentFile = config.age.secrets.nginxEnv.path;
        };
      };
      dhparams = {
        enable = true;
        params.nginx = {};
      };
    };
    services.nginx = {
      enable = true;
      recommendedGzipSettings = true;
      recommendedOptimisation = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;
      resolver.addresses = config.networking.nameservers;
      sslDhparam = config.security.dhparams.params.nginx.path;
      appendHttpConfig = ''
        proxy_headers_hash_max_size 512;
        proxy_headers_hash_bucket_size 128;
      '';
      virtualHosts = let
        labDomain = "cnix.dev";
        labCert = {
          useACMEHost = "cnix.dev";
          forceSSL = true;
        };
      in {
        # proxies on domain with https, only accessible within local network
        "${labDomain}" =
          labCert
          // {
            locations."/".proxyPass = "http://127.0.0.1:${toString config.services.homepage-dashboard.listenPort}";
          };
      };
    };
    users.users.nginx.extraGroups = ["acme"];
  };
 }
--- a/modules/server/podman/default.nix
+++ b/modules/server/podman/default.nix
@@ -34,7 +34,7 @@ in {
      };
      port = lib.mkOption {
        type = lib.types.int;
-        default = 8080;
+        default = 8387;
        description = "The port to host qBittorrent on.";
      };
      homepage.name = lib.mkOption {
@@ -143,62 +143,6 @@ in {
      ];
    };
    services.traefik = lib.mkMerge [
      (lib.mkIf cfg.pihole.enable {
        dynamicConfigOptions = {
          http = {
            services = {
              pihole.loadBalancer.servers = [{url = "http://localhost:${toString cfg.pihole.port}";}];
            };
            routers = {
              pihole = {
                entryPoints = ["websecure"];
                rule = "Host(`${cfg.pihole.url}`)";
                service = "pihole";
                tls.certResolver = "letsencrypt";
              };
            };
          };
        };
      })
      (lib.mkIf cfg.qbittorrent.enable {
        dynamicConfigOptions = {
          http = {
            services = {
              qbittorrent.loadBalancer.servers = [{url = "http://localhost:${toString cfg.qbittorrent.port}";}];
            };
            routers = {
              qbittorrent = {
                entryPoints = ["websecure"];
                rule = "Host(`${cfg.qbittorrent.url}`)";
                service = "qbittorrent";
                tls.certResolver = "letsencrypt";
              };
            };
          };
        };
      })
      (lib.mkIf cfg.slskd.enable {
        dynamicConfigOptions = {
          http = {
            services = {
              slskd.loadBalancer.servers = [{url = "http://localhost:${toString cfg.slskd.port}";}];
            };
            routers = {
              slskd = {
                entryPoints = ["websecure"];
                rule = "Host(`${cfg.slskd.url}`)";
                service = "slskd";
                tls.certResolver = "letsencrypt";
              };
            };
          };
        };
      })
    ];
    virtualisation.oci-containers.containers = lib.mkMerge [
      (lib.mkIf cfg.gluetun.enable {
        gluetun = {
@@ -206,7 +150,7 @@ in {
          ports = [
            "8388:8388"
            "58846:58846"
-            "8080:8080"
+            "8387:8387"
            "5030:5030"
            "5031:5031"
            "50300:50300"
@@ -235,7 +179,7 @@ in {
          autoStart = true;
          dependsOn = ["gluetun"];
          ports = [
-            "8080:8080"
+            "8387:8387"
            "58846:58846"
          ];
          extraOptions = [
--- a/modules/server/sonarr/default.nix
+++ b/modules/server/sonarr/default.nix
@@ -43,15 +43,16 @@ in {
      group = srv.group;
    };
    services.traefik = {
      # staticConfigOptions.entryPoints.${unit}.address = "127.0.0.1:8989";
      dynamicConfigOptions = {
        http = {
-          services.sonarr.loadBalancer.servers = [{url = "http://127.0.0.1:8989";}];
+          # services.sonarr.loadBalancer.servers = [{url = "http://127.0.0.1:8989";}];
          routers = {
            sonarr = {
              entryPoints = ["websecure"];
              rule = "Host(`${cfg.url}`)";
              service = "sonarr";
-              tls.certResolver = "letsencrypt";
+              # tls.certResolver = "letsencrypt";
              # middlewares = ["authentik"];
            };
          };
--- a/modules/server/traefik/default.nix
+++ b/modules/server/traefik/default.nix
@@ -1,100 +0,0 @@
 {
  lib,
  config,
  pkgs,
  self,
  ...
 }: let
  inherit (lib) mkEnableOption mkIf types;
  cfg = config.server.traefik;
  getCloudflareCredentials = hostname:
    if hostname == "ziggy"
    then config.age.secrets.cloudflareDnsCredentialsZiggy.path
    else if hostname == "sobotka"
    then config.age.secrets.cloudflareDnsCredentials.path
    else throw "Unknown hostname: ${hostname}";
 in {
  options.server.traefik = {
    enable = mkEnableOption "Enable global Traefik reverse proxy with ACME";
  };
  config = mkIf cfg.enable {
    age.secrets.traefikEnv = {
      file = "${self}/secrets/traefikEnv.age";
      mode = "640";
      owner = "root";
      group = "traefik";
    };
    systemd.services.traefik = {
      serviceConfig = {
        EnvironmentFile = [config.age.secrets.traefikEnv.path];
      };
    };
    networking.firewall.allowedTCPPorts = [80 443];
    services = {
      tailscale.permitCertUid = "traefik";
      traefik = {
        enable = true;
        staticConfigOptions = {
          log = {
            level = "DEBUG";
          };
          tracing = {};
          api = {
            dashboard = true;
          };
          certificatesResolvers = {
            tailscale.tailscale = {};
            letsencrypt = {
              acme = {
                email = "adam@cnst.dev";
                storage = "/var/lib/traefik/cert.json";
                dnsChallenge = {
                  provider = "cloudflare";
                  resolvers = [
                    "1.1.1.1:53"
                    "1.0.0.1:53"
                  ];
                };
              };
            };
          };
          entryPoints = {
            redis = {
              address = "0.0.0.0:6381";
            };
            postgres = {
              address = "0.0.0.0:5433";
            };
            web = {
              address = "0.0.0.0:80";
              http.redirections.entryPoint = {
                to = "websecure";
                scheme = "https";
                permanent = true;
              };
            };
            websecure = {
              address = "0.0.0.0:443";
              http.tls = {
                certResolver = "letsencrypt";
                domains = [
                  {
                    main = "cnix.dev";
                    sans = ["*.cnix.dev"];
                  }
                ];
              };
            };
          };
        };
      };
    };
  };
 }
--- a/modules/server/www/default.nix
+++ b/modules/server/www/default.nix
@@ -44,9 +44,11 @@ in {
    server = {
      fail2ban = lib.mkIf config.server.www.enable {
        jails = {
-          www = {
+          nginx-404 = {
-            serviceName = "cnst.dev";
+            serviceName = "nginx";
-            failRegex = "^.*Username or password is incorrect. Try again. IP: <HOST>. Username: <F-USER>.*</F-USER>.$";
+            failRegex = ''^.*\[error\].*directory index of.* is forbidden.*client: <HOST>.*$'';
            ignoreRegex = "";
            maxRetry = 5;
          };
        };
      };
@@ -64,14 +66,23 @@ in {
        virtualHosts."webfinger" = {
          forceSSL = false;
          serverName = cfg.url;
-          root = "/etc/webfinger";
+          root = "/var/www/webfinger";
          locations."= /.well-known/webfinger" = {
-            root = "/etc/webfinger";
+            root = "/var/www/webfinger";
            extraConfig = ''
              default_type application/jrd+json;
              try_files /.well-known/webfinger =404;
            '';
          };
          locations."= /robots.txt" = {
            root = "/var/www/webfinger";
            extraConfig = ''
              default_type text/plain;
              try_files /robots.txt =404;
            '';
          };
        };
      };
@@ -85,29 +96,23 @@ in {
      };
    };
-    environment.etc."webfinger/.well-known/webfinger".text = ''
+    environment.etc = {
-      {
+      "webfinger/.well-known/webfinger".text = ''
-        "subject": "acct:adam@${cfg.url}",
+        {
-        "links": [
+          "subject": "acct:adam@${cfg.url}",
-          {
+          "links": [
-            "rel": "http://openid.net/specs/connect/1.0/issuer",
+            {
-            "href": "https://auth.${cfg.url}/application/o/tailscale/"
+              "rel": "http://openid.net/specs/connect/1.0/issuer",
-          }
+              "href": "https://auth.${cfg.url}/application/o/tailscale/"
-        ]
+            }
-      }
+          ]
-    '';
+        }
      '';
-    services.traefik.dynamicConfigOptions.http = {
+      "webfinger/robots.txt".text = ''
-      routers.webfinger = {
+        User-agent: *
-        entryPoints = ["websecure"];
+        Disallow: /
-        rule = "Host(`${cfg.url}`) && Path(`/.well-known/webfinger`)";
+      '';
        service = "webfinger";
        tls.certResolver = "letsencrypt";
      };
      services.webfinger.loadBalancer.servers = [
        {url = "http://127.0.0.1:8283";}
      ];
    };
  };
 }
--- a/secrets/jellyfinCloudflared.age
+++ b/secrets/jellyfinCloudflared.age
@@ -0,0 +1,11 @@
 age-encryption.org/v1
 -> ssh-ed25519 t9iOEg dULaZVrpkeN1HqwM+HSU46XJjQznBOxa+wUDSSciK1w
 FxqlulfViojLLoskKu56Utiq57rkDC6TocoaFQOgahc
 -> ssh-ed25519 KUYMFA QYnb24Av6Vy17Lb5gC6dzQszOxa5bRP2PgFetmqhfCA
 MaIes8V0NkyTAzFzbRuCMzMLwhYljYHwhXPKEZEdlC4
 -> ssh-ed25519 76RhUQ NLoyNp/z5MXE3Hrmv7CCDYB1X8R1OORm2MZVMbgNDQs
 6U8r3wpXNtQdkIH+lo7cDrnjPw9B6eF/jMeb+iW9T1I
 -> ssh-ed25519 Jf8sqw GOWsvhSzrHJGJFOgsXr+O1jq7jnjyzKc82Mu7ntrI2Q
 P3n32btGFtUxB28/a0iz6lBTM6UP3EYUrq0y8BR49IM
 --- geE2uS2TMspihaNwgzH4FQKYoUFFRhjTS6V7F/cdTE0
 %<25>^<5E>E3򿈾<33><F2BF88BE><EFBFBD>gg<67><67>ٸk<D9B8><6B>;<3B>lE+b<>x<EFBFBD>Ҝ-<2D>X<>Et'&^<5E>=c<><63>9<EFBFBD>v*<2A>
--- a/secrets/nginxEnv.age
+++ b/secrets/nginxEnv.age
@@ -0,0 +1,12 @@
 age-encryption.org/v1
 -> ssh-ed25519 t9iOEg SCmn/7gQOD3fRn0PKPXxNBDKNSqUcnejG8tPwjoNT1I
 vd57xXCQ16PPPMlNysw6BWSIP/EgB3HrWlesBiQUVA0
 -> ssh-ed25519 KUYMFA WVn1OhFDxMMEHFa1yHpBmWskbcRgHyBiDWZjPv8NfX8
 8BCp/iUFkRsAGnc+0MEfpRXo1/Xla4WO3qYZMSl7LGw
 -> ssh-ed25519 76RhUQ ZfdS1EWtBOwd7+hVnJ/JqxUCDTYmfEs1OwyzXajFMmg
 eE0ahMgW76RFu9y9Z+PE6IzaLX3ydhhJvjk5vu2EgXo
 -> ssh-ed25519 Jf8sqw Pr/LkT5RQysShzjqEZlXFRHim3WpAav04c/GGftDTiA
 TWWRURLPnkpsxxSdSQem9sAoUoLt5wQe0CYl1xl1RaA
 --- cfGjcdOvwxLDlANhDe44U5JXGAyRYPZMVtC48PuhLNo
 <EFBFBD>Zyr<>#*K<><4B><EFBFBD><EFBFBD><0B><1F>
 $<24><>FB<46>$<24>^<5E>BT<42><54>#D<>v<EFBFBD><76>3<EFBFBD><13><f<>dG$<24><><EFBFBD><~<7E><10><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>m<EFBFBD><6D>8^<1A><><EFBFBD>\#	Z<>-8<><38><EFBFBD>D<EFBFBD>dM<64><4D>
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -58,9 +58,10 @@ in {
  "sobotkaPihole.age".publicKeys = kima ++ sobotka;
  "slskd.age".publicKeys = kima ++ sobotka;
  "authentikEnv.age".publicKeys = kima ++ sobotka;
-  "traefikEnv.age".publicKeys = kima ++ sobotka;
+  "nginxEnv.age".publicKeys = kima ++ sobotka;
  "wwwCloudflared.age".publicKeys = kima ++ sobotka;
  "authentikCloudflared.age".publicKeys = kima ++ sobotka;
  "jellyfinCloudflared.age".publicKeys = kima ++ sobotka;
  # Ziggy-specific
  "cloudflareDnsCredentialsZiggy.age".publicKeys = kima ++ ziggy;
--- a/secrets/traefikEnv.age
+++ b/secrets/traefikEnv.age
Author	SHA1	Message	Date
cnst	123dfd7605	all the broken	2025-10-04 20:35:06 +02:00
cnst	67e83e3e4e	feat(authentik): fixing some fail2ban things	2025-10-02 05:45:35 +02:00
cnst	923c810972	feat(authentik): fixing some fail2ban things	2025-10-01 18:00:55 +02:00
cnst	6ab35f4e91	feat(www): fixing fail2ban and other minor tweaks	2025-09-30 18:16:49 +02:00