big revert

flake lock
2025-10-04 20:49:00 +02:00 · 2025-10-04 20:42:31 +02:00
9 changed files with 101 additions and 118 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -212,11 +212,11 @@
        "rust-analyzer-src": "rust-analyzer-src"
      },
      "locked": {
-        "lastModified": 1759646430,
+        "lastModified": 1759560021,
-        "narHash": "sha256-V8mjmGzi9nS7BZfhpzYAOUg3BcCsC6MrEh9xlKq3+7s=",
+        "narHash": "sha256-J/rtMKVUAEqOFj0ogvcHKK8HbaKhw+tiNrDOpEM+ZDY=",
        "owner": "nix-community",
        "repo": "fenix",
-        "rev": "b326bea4d58c9a58b346f17c710538eac00f71d1",
+        "rev": "6ffcbf59c119b0c6384c7d98f18cea06a9af7e9c",
        "type": "github"
      },
      "original": {
@@ -590,11 +590,11 @@
        "rust-overlay": "rust-overlay_2"
      },
      "locked": {
-        "lastModified": 1759605748,
+        "lastModified": 1759201995,
-        "narHash": "sha256-qALSaIE4fbTo0wbPjEp7RZKbtFk1cDhRZ0BYOHW0JwQ=",
+        "narHash": "sha256-3STv6fITv8Ar/kl0H7vIA7VV0d2gyLh8UL0BOiVacXg=",
        "owner": "helix-editor",
        "repo": "helix",
-        "rev": "6fffaf6a7ded9a12fb2d5715a4eb83787a5e6402",
+        "rev": "bfcbef10c513108c7b43317569416c2eefc4ed44",
        "type": "github"
      },
      "original": {
@@ -824,11 +824,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1759613406,
+        "lastModified": 1759238633,
-        "narHash": "sha256-PzgQJydp+RlKvwDi807pXPlURdIAVqLppZDga3DwPqg=",
+        "narHash": "sha256-4/AtRCQKXuU49ozZZouWuC+T7vCjQh9HAz3N8Tt5OZE=",
        "owner": "hyprwm",
        "repo": "contrib",
-        "rev": "32e1a75b65553daefb419f0906ce19e04815aa3a",
+        "rev": "513d71d3f42c05d6a38e215382c5a6ce971bd77d",
        "type": "github"
      },
      "original": {
@@ -1278,11 +1278,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1759629535,
+        "lastModified": 1759455985,
-        "narHash": "sha256-VIXcJ2ahRgoqIUySwAz3r5mtITO2dp6tXGCVKVW6FmA=",
+        "narHash": "sha256-8qDv7NXH3fj1CDXed7c7vJLtrRKDZSo0x6TaWSfelVg=",
        "owner": "fufexan",
        "repo": "nix-gaming",
-        "rev": "df388c42b54714bd121796a9cec9322b7fa2894e",
+        "rev": "eb5ab503cbd3cb386e8d85a55a9faed73ec7dc37",
        "type": "github"
      },
      "original": {
@@ -1626,11 +1626,11 @@
    "rust-analyzer-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1759601486,
+        "lastModified": 1759301569,
-        "narHash": "sha256-ZywfLIFtRr907us1tONwUJLeg3ssO4D01XBFHx7RdAo=",
+        "narHash": "sha256-7StxDed3v2fAWLkl+Hse9FlpjT7Dk7Cn/4vxTFyEhIg=",
        "owner": "rust-lang",
        "repo": "rust-analyzer",
-        "rev": "4ae99f0150c94f4bdf7192b4447f512ece3546fd",
+        "rev": "472037b789cf593172d6adf3b8d9f7a429f6cd9b",
        "type": "github"
      },
      "original": {
--- a/hosts/kima/modules.nix
+++ b/hosts/kima/modules.nix
@@ -216,7 +216,7 @@
        flags = "--performance";
      };
      tailscale = {
-        enable = false;
+        enable = true;
      };
      udisks = {
        enable = true;
--- a/hosts/sobotka/modules.nix
+++ b/hosts/sobotka/modules.nix
@@ -214,7 +214,7 @@
        flags = "--performance";
      };
      tailscale = {
-        enable = false;
+        enable = true;
      };
      udisks = {
        enable = true;
--- a/modules/server/authentik/default.nix
+++ b/modules/server/authentik/default.nix
@@ -54,14 +54,10 @@ in {
      authentikEnv = {
        file = "${self}/secrets/authentikEnv.age";
        owner = "authentik";
        group = "authentik";
        mode = "0400";
      };
      authentikCloudflared = {
        file = "${self}/secrets/authentikCloudflared.age";
        owner = "authentik";
        group = "authentik";
        mode = "0400";
      };
    };
@@ -69,8 +65,8 @@ in {
      fail2ban = lib.mkIf cfg.enable {
        jails = {
          authentik = {
-            serviceName = "authentik";
+            serviceName = "${cfg.url}";
-            failRegex = "^.*Username or password is incorrect.*IP:\s*<HOST>";
+            failRegex = "^.*Username or password is incorrect. Try again. IP: <HOST>. Username: <F-USER>.*</F-USER>.$";
          };
        };
      };
@@ -103,7 +99,7 @@ in {
            middlewares = {
              authentik = {
                forwardAuth = {
-                  # tls.insecureSkipVerify = true;
+                  tls.insecureSkipVerify = true;
                  address = "https://localhost:9443/outpost.goauthentik.io/auth/traefik";
                  trustForwardHeader = true;
                  authResponseHeaders = [
@@ -119,7 +115,6 @@ in {
                    "X-authentik-meta-app"
                    "X-authentik-meta-version"
                  ];
                  timeout = "10s";
                };
              };
            };
--- a/modules/server/fail2ban/default.nix
+++ b/modules/server/fail2ban/default.nix
@@ -4,9 +4,11 @@
  config,
  pkgs,
  ...
-}: let
+}:
 let
  cfg = config.server.fail2ban;
-in {
+in
 {
  options.server.fail2ban = {
    enable = lib.mkEnableOption {
      description = "Enable cloudflare fail2ban";
@@ -15,7 +17,7 @@ in {
      description = "File containing your API key, scoped to Firewall Rules: Edit";
      type = lib.types.str;
      example = lib.literalExpression ''
-        Authorization: Bearer vH6-p0y=i4w3n7TjKqZ@x8D_lR!A9b2cOezXgUuJdE5F
+        Authorization: Bearer Qj06My1wXJEzcW46QCyjFbSMgVtwIGfX63Ki3NOj79o=
        '''
      '';
    };
@@ -55,11 +57,10 @@ in {
        pkgs.jq
      ];
-      jails =
+      jails = lib.attrsets.mapAttrs (name: value: {
        lib.attrsets.mapAttrs (name: value: {
        settings = {
-            bantime = "24h";
+          bantime = "30d";
-            findtime = "10m";
+          findtime = "1h";
          enabled = true;
          backend = "systemd";
          journalmatch = "_SYSTEMD_UNIT=${value.serviceName}.service";
@@ -68,26 +69,27 @@ in {
          maxretry = 3;
          action = "cloudflare-token-agenix";
        };
-        })
+      }) cfg.jails;
        cfg.jails;
    };
    environment.etc = lib.attrsets.mergeAttrsList [
      (lib.attrsets.mapAttrs' (
-          name: value: (lib.nameValuePair "fail2ban/filter.d/${name}.conf" {
+        name: value:
        (lib.nameValuePair "fail2ban/filter.d/${name}.conf" {
          text = ''
            [Definition]
            failregex = ${value.failRegex}
            ignoreregex = ${value.ignoreRegex}
          '';
        })
-        )
+      ) cfg.jails)
        cfg.jails)
      {
-        "fail2ban/action.d/cloudflare-token-agenix.conf".text = let
+        "fail2ban/action.d/cloudflare-token-agenix.conf".text =
          let
            notes = "Fail2Ban on ${config.networking.hostName}";
            cfapi = "https://api.cloudflare.com/client/v4/zones/${cfg.zoneId}/firewall/access_rules/rules";
-        in ''
+          in
          ''
            [Definition]
            actionstart =
            actionstop =
--- a/modules/server/www/default.nix
+++ b/modules/server/www/default.nix
@@ -4,18 +4,11 @@
  pkgs,
  self,
  ...
-}:
+}: let
-let
+  inherit (lib) mkOption mkEnableOption mkIf types;
  inherit (lib)
    mkOption
    mkEnableOption
    mkIf
    types
    ;
  cfg = config.server.www;
  srv = config.server;
-in
+in {
 {
  options.server.www = {
    enable = mkEnableOption {
      description = "Enable personal website";
@@ -51,11 +44,9 @@ in
    server = {
      fail2ban = lib.mkIf config.server.www.enable {
        jails = {
-          nginx-404 = {
+          www = {
-            serviceName = "nginx";
+            serviceName = "cnst.dev";
-            failRegex = ''^.*\[error\].*directory index of.* is forbidden.*client: <HOST>.*$'';
+            failRegex = "^.*Username or password is incorrect. Try again. IP: <HOST>. Username: <F-USER>.*</F-USER>.$";
            ignoreRegex = "";
            maxRetry = 5;
          };
        };
      };
@@ -73,23 +64,14 @@ in
        virtualHosts."webfinger" = {
          forceSSL = false;
          serverName = cfg.url;
-          root = "/var/www/webfinger";
+          root = "/etc/webfinger";
          locations."= /.well-known/webfinger" = {
-            root = "/var/www/webfinger";
+            root = "/etc/webfinger";
            extraConfig = ''
              default_type application/jrd+json;
              try_files /.well-known/webfinger =404;
            '';
          };
          locations."= /robots.txt" = {
            root = "/var/www/webfinger";
            extraConfig = ''
              default_type text/plain;
              try_files /robots.txt =404;
            '';
          };
        };
      };
@@ -103,8 +85,7 @@ in
      };
    };
-    environment.etc = {
+    environment.etc."webfinger/.well-known/webfinger".text = ''
      "webfinger/.well-known/webfinger".text = ''
      {
        "subject": "acct:adam@${cfg.url}",
        "links": [
@@ -116,22 +97,16 @@ in
      }
    '';
      "webfinger/robots.txt".text = ''
        User-agent: *
        Disallow: /
      '';
    };
    services.traefik.dynamicConfigOptions.http = {
      routers.webfinger = {
-        entryPoints = [ "websecure" ];
+        entryPoints = ["websecure"];
        rule = "Host(`${cfg.url}`) && Path(`/.well-known/webfinger`)";
        service = "webfinger";
        tls.certResolver = "letsencrypt";
      };
      services.webfinger.loadBalancer.servers = [
-        { url = "http://127.0.0.1:8283"; }
+        {url = "http://127.0.0.1:8283";}
      ];
    };
  };
--- a/secrets/nginxEnv.age
+++ b/secrets/nginxEnv.age
@@ -0,0 +1,11 @@
 age-encryption.org/v1
 -> ssh-ed25519 t9iOEg pfPhWigjvnJ5tfVv8qPpk3VYvLH9I01HVVbpu+r2NjY
 Kaj8aZv+9pSYjwoE7EHWGHfsZIPFZOgUVaKf8VxWKcQ
 -> ssh-ed25519 KUYMFA 9Xy82Cl3HUQcFDcJMxxnnIfLOngW8xLfVE0S1wRliGg
 mOOcyJp5+ZqFwdkZkHC63+cMA0ToGcuI6kqMjAJ9jJk
 -> ssh-ed25519 76RhUQ +OvUSQwpy6+xxlom8bJFn8CBdSKECa9YY0U+YYNYdGM
 MWfmfGzd6/lOPvggUG8uJgBAp1CTqSdk+NDkk7vSQEQ
 -> ssh-ed25519 Jf8sqw jQR/wT/+f63cJdFzR/Ogw6pdiYXoyVNu1+UCni2BYSM
 Iicwg/XJJskvWFmAbxFDh3gSJyjid5fw9JXmDJPhzkU
 --- xK8vBWioTgSDPHkKh7SJxstCzYtUSmTz6QuN/+niFME
 <08><>f<<3C>`VR<56><52>p<><70>)>|<7C>+aئI<D8A6>g<08><0B><><EFBFBD><EFBFBD><EFBFBD><19><>x<EFBFBD><78>HH+<2B>緭<EFBFBD><E7B7AD>o>$4H<><48><EFBFBD>缂<EFBFBD>B?<3F>l6TSqμ<71>Ǿ<EFBFBD><C7BE>Kj-l
--- a/secrets/traefikEnv.age
+++ b/secrets/traefikEnv.age
--- a/users/cnst/modules/kimamod.nix
+++ b/users/cnst/modules/kimamod.nix
@@ -11,7 +11,7 @@
        enable = true;
      };
      chromium = {
-        enable = false;
+        enable = true;
      };
      discord = {
        enable = true;
Author	SHA1	Message	Date
cnst	3d1e0991ae	big revert	2025-10-04 20:49:00 +02:00
cnst	99b18de995	flake lock	2025-10-04 20:42:31 +02:00