cnst/cnix
1
0
Fork 0
Code Issues Pull Requests Activity

Compare commits

base: cnst:c9edc99a85b02f604b6e1376839abf02b1a2ebb1
Branches Tags
cnst:main cnst:monitors cnst:working cnst:compare_broken cnst:revert cnst:broken
..
compare: cnst:revert
Branches Tags
cnst:main cnst:monitors cnst:working cnst:compare_broken cnst:revert cnst:broken

2 Commits
c9edc99a85 ... revert

Author SHA1 Message Date
cnst
3d1e0991ae big revert 2025-10-04 20:49:00 +02:00
cnst
99b18de995 flake lock 2025-10-04 20:42:31 +02:00
10 changed files with 115 additions and 133 deletions
Expand all files Collapse all files

30
flake.lock generated
View File

@@ -212,11 +212,11 @@
"rust-analyzer-src": "rust-analyzer-src"
},
"locked": {
"lastModified": 1759646430,
"narHash": "sha256-V8mjmGzi9nS7BZfhpzYAOUg3BcCsC6MrEh9xlKq3+7s=",
"lastModified": 1759560021,
"narHash": "sha256-J/rtMKVUAEqOFj0ogvcHKK8HbaKhw+tiNrDOpEM+ZDY=",
"owner": "nix-community",
"repo": "fenix",
"rev": "b326bea4d58c9a58b346f17c710538eac00f71d1",
"rev": "6ffcbf59c119b0c6384c7d98f18cea06a9af7e9c",
"type": "github"
},
"original": {
@@ -590,11 +590,11 @@
"rust-overlay": "rust-overlay_2"
},
"locked": {
"lastModified": 1759605748,
"narHash": "sha256-qALSaIE4fbTo0wbPjEp7RZKbtFk1cDhRZ0BYOHW0JwQ=",
"lastModified": 1759201995,
"narHash": "sha256-3STv6fITv8Ar/kl0H7vIA7VV0d2gyLh8UL0BOiVacXg=",
"owner": "helix-editor",
"repo": "helix",
"rev": "6fffaf6a7ded9a12fb2d5715a4eb83787a5e6402",
"rev": "bfcbef10c513108c7b43317569416c2eefc4ed44",
"type": "github"
},
"original": {
@@ -824,11 +824,11 @@
]
},
"locked": {
"lastModified": 1759613406,
"narHash": "sha256-PzgQJydp+RlKvwDi807pXPlURdIAVqLppZDga3DwPqg=",
"lastModified": 1759238633,
"narHash": "sha256-4/AtRCQKXuU49ozZZouWuC+T7vCjQh9HAz3N8Tt5OZE=",
"owner": "hyprwm",
"repo": "contrib",
"rev": "32e1a75b65553daefb419f0906ce19e04815aa3a",
"rev": "513d71d3f42c05d6a38e215382c5a6ce971bd77d",
"type": "github"
},
"original": {
@@ -1278,11 +1278,11 @@
]
},
"locked": {
"lastModified": 1759629535,
"narHash": "sha256-VIXcJ2ahRgoqIUySwAz3r5mtITO2dp6tXGCVKVW6FmA=",
"lastModified": 1759455985,
"narHash": "sha256-8qDv7NXH3fj1CDXed7c7vJLtrRKDZSo0x6TaWSfelVg=",
"owner": "fufexan",
"repo": "nix-gaming",
"rev": "df388c42b54714bd121796a9cec9322b7fa2894e",
"rev": "eb5ab503cbd3cb386e8d85a55a9faed73ec7dc37",
"type": "github"
},
"original": {
@@ -1626,11 +1626,11 @@
"rust-analyzer-src": {
"flake": false,
"locked": {
"lastModified": 1759601486,
"narHash": "sha256-ZywfLIFtRr907us1tONwUJLeg3ssO4D01XBFHx7RdAo=",
"lastModified": 1759301569,
"narHash": "sha256-7StxDed3v2fAWLkl+Hse9FlpjT7Dk7Cn/4vxTFyEhIg=",
"owner": "rust-lang",
"repo": "rust-analyzer",
"rev": "4ae99f0150c94f4bdf7192b4447f512ece3546fd",
"rev": "472037b789cf593172d6adf3b8d9f7a429f6cd9b",
"type": "github"
},
"original": {

2
hosts/kima/modules.nix
View File

@@ -216,7 +216,7 @@
flags = "--performance";
};
tailscale = {
enable = false;
enable = true;
};
udisks = {
enable = true;

2
hosts/sobotka/modules.nix
View File

@@ -214,7 +214,7 @@
flags = "--performance";
};
tailscale = {
enable = false;
enable = true;
};
udisks = {
enable = true;

9
hosts/sobotka/server.nix
View File

@@ -1,5 +1,4 @@
{ config, ... }:
{
{config, ...}: {
server = {
enable = true;
email = "adam@cnst.dev";
@@ -44,10 +43,6 @@
};
jellyfin = {
enable = true;
cloudflared = {
tunnelId = "234811e2-bc86-44b2-9abd-493686e25704";
credentialsFile = config.age.secrets.jellyfinCloudflared.path;
};
};
uptime-kuma = {
enable = true;
@@ -94,7 +89,7 @@
gluetun.enable = true;
qbittorrent = {
enable = true;
port = 8387;
port = 8080;
};
slskd = {
enable = true;

29
modules/server/authentik/default.nix
View File

@@ -4,13 +4,11 @@
pkgs,
self,
...
}:
let
}: let
unit = "authentik";
cfg = config.server.${unit};
srv = config.server;
in
{
in {
options.server.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
@@ -55,9 +53,11 @@ in
age.secrets = {
authentikEnv = {
file = "${self}/secrets/authentikEnv.age";
owner = "authentik";
};
authentikCloudflared = {
file = "${self}/secrets/authentikCloudflared.age";
owner = "authentik";
};
};
@@ -65,8 +65,8 @@ in
fail2ban = lib.mkIf cfg.enable {
jails = {
authentik = {
serviceName = "authentik";
failRegex = "^.*Username or password is incorrect.*IP:\s*<HOST>";
serviceName = "${cfg.url}";
failRegex = "^.*Username or password is incorrect. Try again. IP: <HOST>. Username: <F-USER>.*</F-USER>.$";
};
};
};
@@ -99,23 +99,22 @@ in
middlewares = {
authentik = {
forwardAuth = {
# tls.insecureSkipVerify = true;
tls.insecureSkipVerify = true;
address = "https://localhost:9443/outpost.goauthentik.io/auth/traefik";
trustForwardHeader = true;
authResponseHeaders = [
"X-authentik-username"
"X-authentik-groups"
"X-authentik-email"
# "X-authentik-name"
# "X-authentik-uid"
"X-authentik-name"
"X-authentik-uid"
"X-authentik-jwt"
# "X-authentik-meta-jwks"
# "X-authentik-meta-outpost"
# "X-authentik-meta-provider"
# "X-authentik-meta-app"
# "X-authentik-meta-version"
"X-authentik-meta-jwks"
"X-authentik-meta-outpost"
"X-authentik-meta-provider"
"X-authentik-meta-app"
"X-authentik-meta-version"
];
timeout = "10s";
};
};
};

30
modules/server/fail2ban/default.nix
View File

@@ -4,9 +4,11 @@
config,
pkgs,
...
}: let
}:
let
cfg = config.server.fail2ban;
in {
in
{
options.server.fail2ban = {
enable = lib.mkEnableOption {
description = "Enable cloudflare fail2ban";
@@ -15,7 +17,7 @@ in {
description = "File containing your API key, scoped to Firewall Rules: Edit";
type = lib.types.str;
example = lib.literalExpression ''
Authorization: Bearer vH6-p0y=i4w3n7TjKqZ@x8D_lR!A9b2cOezXgUuJdE5F
Authorization: Bearer Qj06My1wXJEzcW46QCyjFbSMgVtwIGfX63Ki3NOj79o=
'''
'';
};
@@ -55,11 +57,10 @@ in {
pkgs.jq
];
jails =
lib.attrsets.mapAttrs (name: value: {
jails = lib.attrsets.mapAttrs (name: value: {
settings = {
bantime = "24h";
findtime = "10m";
bantime = "30d";
findtime = "1h";
enabled = true;
backend = "systemd";
journalmatch = "_SYSTEMD_UNIT=${value.serviceName}.service";
@@ -68,26 +69,27 @@ in {
maxretry = 3;
action = "cloudflare-token-agenix";
};
})
cfg.jails;
}) cfg.jails;
};
environment.etc = lib.attrsets.mergeAttrsList [
(lib.attrsets.mapAttrs' (
name: value: (lib.nameValuePair "fail2ban/filter.d/${name}.conf" {
name: value:
(lib.nameValuePair "fail2ban/filter.d/${name}.conf" {
text = ''
[Definition]
failregex = ${value.failRegex}
ignoreregex = ${value.ignoreRegex}
'';
})
)
cfg.jails)
) cfg.jails)
{
"fail2ban/action.d/cloudflare-token-agenix.conf".text = let
"fail2ban/action.d/cloudflare-token-agenix.conf".text =
let
notes = "Fail2Ban on ${config.networking.hostName}";
cfapi = "https://api.cloudflare.com/client/v4/zones/${cfg.zoneId}/firewall/access_rules/rules";
in ''
in
''
[Definition]
actionstart =
actionstop =

43
modules/server/www/default.nix
View File

@@ -4,18 +4,11 @@
pkgs,
self,
...
}:
let
inherit (lib)
mkOption
mkEnableOption
mkIf
types
;
}: let
inherit (lib) mkOption mkEnableOption mkIf types;
cfg = config.server.www;
srv = config.server;
in
{
in {
options.server.www = {
enable = mkEnableOption {
description = "Enable personal website";
@@ -51,11 +44,9 @@ in
server = {
fail2ban = lib.mkIf config.server.www.enable {
jails = {
nginx-404 = {
serviceName = "nginx";
failRegex = ''^.*\[error\].*directory index of.* is forbidden.*client: <HOST>.*$'';
ignoreRegex = "";
maxRetry = 5;
www = {
serviceName = "cnst.dev";
failRegex = "^.*Username or password is incorrect. Try again. IP: <HOST>. Username: <F-USER>.*</F-USER>.$";
};
};
};
@@ -73,23 +64,14 @@ in
virtualHosts."webfinger" = {
forceSSL = false;
serverName = cfg.url;
root = "/var/www/webfinger";
root = "/etc/webfinger";
locations."= /.well-known/webfinger" = {
root = "/var/www/webfinger";
root = "/etc/webfinger";
extraConfig = ''
default_type application/jrd+json;
try_files /.well-known/webfinger =404;
'';
};
locations."= /robots.txt" = {
root = "/var/www/webfinger";
extraConfig = ''
default_type text/plain;
try_files /robots.txt =404;
'';
};
};
};
@@ -103,8 +85,7 @@ in
};
};
environment.etc = {
"webfinger/.well-known/webfinger".text = ''
environment.etc."webfinger/.well-known/webfinger".text = ''
{
"subject": "acct:adam@${cfg.url}",
"links": [
@@ -116,12 +97,6 @@ in
}
'';
"webfinger/robots.txt".text = ''
User-agent: *
Disallow: /
'';
};
services.traefik.dynamicConfigOptions.http = {
routers.webfinger = {
entryPoints = ["websecure"];

11
secrets/nginxEnv.age Normal file
View File

@@ -0,0 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 t9iOEg pfPhWigjvnJ5tfVv8qPpk3VYvLH9I01HVVbpu+r2NjY
Kaj8aZv+9pSYjwoE7EHWGHfsZIPFZOgUVaKf8VxWKcQ
-> ssh-ed25519 KUYMFA 9Xy82Cl3HUQcFDcJMxxnnIfLOngW8xLfVE0S1wRliGg
mOOcyJp5+ZqFwdkZkHC63+cMA0ToGcuI6kqMjAJ9jJk
-> ssh-ed25519 76RhUQ +OvUSQwpy6+xxlom8bJFn8CBdSKECa9YY0U+YYNYdGM
MWfmfGzd6/lOPvggUG8uJgBAp1CTqSdk+NDkk7vSQEQ
-> ssh-ed25519 Jf8sqw jQR/wT/+f63cJdFzR/Ogw6pdiYXoyVNu1+UCni2BYSM
Iicwg/XJJskvWFmAbxFDh3gSJyjid5fw9JXmDJPhzkU
--- xK8vBWioTgSDPHkKh7SJxstCzYtUSmTz6QuN/+niFME
<08><>f<<3C>`VR<56><52>p<><70>)>|<7C>+aئI<D8A6>g<08> <0B><><EFBFBD><EFBFBD><EFBFBD><19><>x<EFBFBD><78>HH+<2B><EFBFBD><E7B7AD>o>$4H<><48><EFBFBD><EFBFBD>B?<3F>l6TSqμ<71>Ǿ<EFBFBD><C7BE>Kj-l

BIN
secrets/traefikEnv.age
View File

Binary file not shown.

2
users/cnst/modules/kimamod.nix
View File

@@ -11,7 +11,7 @@
enable = true;
};
chromium = {
enable = false;
enable = true;
};
discord = {
enable = true;