cnst/cnix
1
0
Fork 0
Code Issues Pull Requests Activity

Compare commits

base: cnst:6ab35f4e9184b3829ee36e175baee8d2f99c9a1c
Branches Tags
cnst:main cnst:monitors cnst:working cnst:compare_broken cnst:revert cnst:broken
...
compare: cnst:67e83e3e4e2c6813623a31cf0bed8408e63cc6ab
Branches Tags
cnst:main cnst:monitors cnst:working cnst:compare_broken cnst:revert cnst:broken

2 Commits
6ab35f4e91 ... 67e83e3e4e

Author SHA1 Message Date
cnst
67e83e3e4e feat(authentik): fixing some fail2ban things 2025-10-02 05:45:35 +02:00
cnst
923c810972 feat(authentik): fixing some fail2ban things 2025-10-01 18:00:55 +02:00
4 changed files with 75 additions and 73 deletions
Expand all files Collapse all files

44
flake.lock generated
View File

@@ -114,11 +114,11 @@
"uv2nix": "uv2nix" "uv2nix": "uv2nix"
}, },
"locked": { "locked": {
"lastModified": 1758177015, "lastModified": 1759322529,
"narHash": "sha256-PCUWdbaxayY3YfSjVlyddBMYoGvSaRysd5AmZ8gqSFs=", "narHash": "sha256-yiv/g/tiJI3PI95F7vhTnaf1TDsIkFLrmmFTjWfb6pQ=",
"owner": "nix-community", "owner": "nix-community",
"repo": "authentik-nix", "repo": "authentik-nix",
"rev": "4c626ed84cc0f1278bfba0f534efd6cba2788d75", "rev": "69fac057b2e553ee17c9a09b822d735823d65a6c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -130,16 +130,16 @@
"authentik-src": { "authentik-src": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1758035356, "lastModified": 1759190535,
"narHash": "sha256-DkvxDwHCfSqEpZ9rRXNR8MP0Mz/y1kHAr38exrHQ39c=", "narHash": "sha256-pIzDaoDWc58cY/XhsyweCwc4dfRvkaT/zqsV1gDSnCI=",
"owner": "goauthentik", "owner": "goauthentik",
"repo": "authentik", "repo": "authentik",
"rev": "680feaefa17934471a6b33ebc35caf5b64120404", "rev": "8d3a289d12c7de2f244c76493af7880f70d08af2",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "goauthentik", "owner": "goauthentik",
"ref": "version/2025.8.3", "ref": "version/2025.8.4",
"repo": "authentik", "repo": "authentik",
"type": "github" "type": "github"
} }
@@ -212,11 +212,11 @@
"rust-analyzer-src": "rust-analyzer-src" "rust-analyzer-src": "rust-analyzer-src"
}, },
"locked": { "locked": {
"lastModified": 1759214609, "lastModified": 1759301100,
"narHash": "sha256-+V3SeMjAMd9j9JTECk9oc0gWhtsk79rFEbYf/tHjywo=", "narHash": "sha256-hmiTEoVAqLnn80UkreCNunnRKPucKvcg5T4/CELEtbw=",
"owner": "nix-community", "owner": "nix-community",
"repo": "fenix", "repo": "fenix",
"rev": "f93a2d7225bc7a93d3379acff8fe722e21d97852", "rev": "0956bc5d1df2ea800010172c6bc4470d9a22cb81",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -571,11 +571,11 @@
}, },
"hardware": { "hardware": {
"locked": { "locked": {
"lastModified": 1758663926, "lastModified": 1759261527,
"narHash": "sha256-6CFdj7Xs616t1W4jLDH7IohAAvl5Dyib3qEv/Uqw1rk=", "narHash": "sha256-wPd5oGvBBpUEzMF0kWnXge0WITNsITx/aGI9qLHgJ4g=",
"owner": "nixos", "owner": "nixos",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "170ff93c860b2a9868ed1e1102d4e52cb3d934e1", "rev": "e087756cf4abbe1a34f3544c480fc1034d68742f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -610,11 +610,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1759236626, "lastModified": 1759331616,
"narHash": "sha256-1BjCUU2csqhR5umGYFnOOTU8r8Bi+bnB2SLsr0FLcws=", "narHash": "sha256-LVpodobJvJM5rmfh2sFBHPNX0PYpNbbHzx/gprlKGGg=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "9e0453a9b0c8ef22de0355b731d712707daa6308", "rev": "5890176f856dcaf55f3ab56b25d4138657531cbd",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -803,11 +803,11 @@
"xdph": "xdph" "xdph": "xdph"
}, },
"locked": { "locked": {
"lastModified": 1759169434, "lastModified": 1759318697,
"narHash": "sha256-1u6kq88ICeE9IiJPditYa248ZoEqo00kz6iUR+jLvBQ=", "narHash": "sha256-iCL/F+rlgzgBfG4QURfjBrxVBMPsXCzZKHXn1SNBshc=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "hyprland", "repo": "hyprland",
"rev": "38c1e72c9d81fcdad8f173e06102a5da18836230", "rev": "e0c96276df75accc853a30186ae5de580b2c725f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1626,11 +1626,11 @@
"rust-analyzer-src": { "rust-analyzer-src": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1759134797, "lastModified": 1759245522,
"narHash": "sha256-YPi+jL3tx/yC5J5l7/OB7Lnlr9BMTzYnZtm7tRJzUNg=", "narHash": "sha256-H4Hx/EuMJ9qi1WzPV4UG2bbZiDCdREtrtDvYcHr0kmk=",
"owner": "rust-lang", "owner": "rust-lang",
"repo": "rust-analyzer", "repo": "rust-analyzer",
"rev": "062ac7a5451e8e92a32e22a60d86882d6a034f3f", "rev": "a6bc4a4bbe6a65b71cbf76a0cf528c47a8d9f97f",
"type": "github" "type": "github"
}, },
"original": { "original": {

2
hosts/sobotka/modules.nix
View File

@@ -214,7 +214,7 @@
flags = "--performance"; flags = "--performance";
}; };
tailscale = { tailscale = {
enable = true; enable = false;
}; };
udisks = { udisks = {
enable = true; enable = true;

8
modules/server/authentik/default.nix
View File

@@ -54,10 +54,14 @@ in {
authentikEnv = { authentikEnv = {
file = "${self}/secrets/authentikEnv.age"; file = "${self}/secrets/authentikEnv.age";
owner = "authentik"; owner = "authentik";
group = "authentik";
mode = "0400";
}; };
authentikCloudflared = { authentikCloudflared = {
file = "${self}/secrets/authentikCloudflared.age"; file = "${self}/secrets/authentikCloudflared.age";
owner = "authentik"; owner = "authentik";
group = "authentik";
mode = "0400";
}; };
}; };
@@ -66,7 +70,7 @@ in {
jails = { jails = {
authentik = { authentik = {
serviceName = "authentik"; serviceName = "authentik";
failRegex = "^.*Username or password is incorrect. Try again. IP: <HOST>. Username: <F-USER>.*</F-USER>.$"; failRegex = "^.*Username or password is incorrect.*IP:\s*<HOST>";
}; };
}; };
}; };
@@ -99,7 +103,7 @@ in {
middlewares = { middlewares = {
authentik = { authentik = {
forwardAuth = { forwardAuth = {
tls.insecureSkipVerify = true; # tls.insecureSkipVerify = true;
address = "https://localhost:9443/outpost.goauthentik.io/auth/traefik"; address = "https://localhost:9443/outpost.goauthentik.io/auth/traefik";
trustForwardHeader = true; trustForwardHeader = true;
authResponseHeaders = [ authResponseHeaders = [

94
modules/server/fail2ban/default.nix
View File

@@ -4,11 +4,9 @@
config, config,
pkgs, pkgs,
... ...
}: }: let
let
cfg = config.server.fail2ban; cfg = config.server.fail2ban;
in in {
{
options.server.fail2ban = { options.server.fail2ban = {
enable = lib.mkEnableOption { enable = lib.mkEnableOption {
description = "Enable cloudflare fail2ban"; description = "Enable cloudflare fail2ban";
@@ -17,7 +15,7 @@ in
description = "File containing your API key, scoped to Firewall Rules: Edit"; description = "File containing your API key, scoped to Firewall Rules: Edit";
type = lib.types.str; type = lib.types.str;
example = lib.literalExpression '' example = lib.literalExpression ''
Authorization: Bearer Qj06My1wXJEzcW46QCyjFbSMgVtwIGfX63Ki3NOj79o= Authorization: Bearer vH6-p0y=i4w3n7TjKqZ@x8D_lR!A9b2cOezXgUuJdE5F
''' '''
''; '';
}; };
@@ -57,54 +55,54 @@ in
pkgs.jq pkgs.jq
]; ];
jails = lib.attrsets.mapAttrs (name: value: { jails =
settings = { lib.attrsets.mapAttrs (name: value: {
bantime = "30d"; settings = {
findtime = "1h"; bantime = "24h";
enabled = true; findtime = "10m";
backend = "systemd"; enabled = true;
journalmatch = "_SYSTEMD_UNIT=${value.serviceName}.service"; backend = "systemd";
port = "http,https"; journalmatch = "_SYSTEMD_UNIT=${value.serviceName}.service";
filter = "${name}"; port = "http,https";
maxretry = 3; filter = "${name}";
action = "cloudflare-token-agenix"; maxretry = 3;
}; action = "cloudflare-token-agenix";
}) cfg.jails; };
})
cfg.jails;
}; };
environment.etc = lib.attrsets.mergeAttrsList [ environment.etc = lib.attrsets.mergeAttrsList [
(lib.attrsets.mapAttrs' ( (lib.attrsets.mapAttrs' (
name: value: name: value: (lib.nameValuePair "fail2ban/filter.d/${name}.conf" {
(lib.nameValuePair "fail2ban/filter.d/${name}.conf" { text = ''
text = '' [Definition]
[Definition] failregex = ${value.failRegex}
failregex = ${value.failRegex} ignoreregex = ${value.ignoreRegex}
ignoreregex = ${value.ignoreRegex} '';
''; })
}) )
) cfg.jails) cfg.jails)
{ {
"fail2ban/action.d/cloudflare-token-agenix.conf".text = "fail2ban/action.d/cloudflare-token-agenix.conf".text = let
let notes = "Fail2Ban on ${config.networking.hostName}";
notes = "Fail2Ban on ${config.networking.hostName}"; cfapi = "https://api.cloudflare.com/client/v4/zones/${cfg.zoneId}/firewall/access_rules/rules";
cfapi = "https://api.cloudflare.com/client/v4/zones/${cfg.zoneId}/firewall/access_rules/rules"; in ''
in [Definition]
'' actionstart =
[Definition] actionstop =
actionstart = actioncheck =
actionstop = actionunban = id=$(curl -s -X GET "${cfapi}" \
actioncheck = -H @${cfg.apiKeyFile} -H "Content-Type: application/json" \
actionunban = id=$(curl -s -X GET "${cfapi}" \ | jq -r '.result[] | select(.notes == "${notes}" and .configuration.target == "ip" and .configuration.value == "<ip>") | .id')
-H @${cfg.apiKeyFile} -H "Content-Type: application/json" \ if [ -z "$id" ]; then echo "id for <ip> cannot be found"; exit 0; fi; \
| jq -r '.result[] | select(.notes == "${notes}" and .configuration.target == "ip" and .configuration.value == "<ip>") | .id') curl -s -X DELETE "${cfapi}/$id" \
if [ -z "$id" ]; then echo "id for <ip> cannot be found"; exit 0; fi; \ -H @${cfg.apiKeyFile} -H "Content-Type: application/json" \
curl -s -X DELETE "${cfapi}/$id" \ --data '{"cascade": "none"}'
-H @${cfg.apiKeyFile} -H "Content-Type: application/json" \ actionban = curl -X POST "${cfapi}" -H @${cfg.apiKeyFile} -H "Content-Type: application/json" --data '{"mode":"block","configuration":{"target":"ip","value":"<ip>"},"notes":"${notes}"}'
--data '{"cascade": "none"}' [Init]
actionban = curl -X POST "${cfapi}" -H @${cfg.apiKeyFile} -H "Content-Type: application/json" --data '{"mode":"block","configuration":{"target":"ip","value":"<ip>"},"notes":"${notes}"}' name = cloudflare-token-agenix
[Init] '';
name = cloudflare-token-agenix
'';
} }
]; ];
}; };