cnst/cnix
1
0
Fork 0
Code Issues Pull Requests Activity

Compare commits

base: cnst:revert
Branches Tags
cnst:main cnst:monitors cnst:working cnst:compare_broken cnst:revert cnst:broken
...
compare: cnst:67e83e3e4e2c6813623a31cf0bed8408e63cc6ab
Branches Tags
cnst:main cnst:monitors cnst:working cnst:compare_broken cnst:revert cnst:broken

3 Commits
revert ... 67e83e3e4e

Author SHA1 Message Date
cnst
67e83e3e4e feat(authentik): fixing some fail2ban things 2025-10-02 05:45:35 +02:00
cnst
923c810972 feat(authentik): fixing some fail2ban things 2025-10-01 18:00:55 +02:00
cnst
6ab35f4e91 feat(www): fixing fail2ban and other minor tweaks 2025-09-30 18:16:49 +02:00
5 changed files with 129 additions and 109 deletions
Expand all files Collapse all files

82
flake.lock generated
View File

@@ -114,11 +114,11 @@
"uv2nix": "uv2nix" "uv2nix": "uv2nix"
}, },
"locked": { "locked": {
"lastModified": 1758177015, "lastModified": 1759322529,
"narHash": "sha256-PCUWdbaxayY3YfSjVlyddBMYoGvSaRysd5AmZ8gqSFs=", "narHash": "sha256-yiv/g/tiJI3PI95F7vhTnaf1TDsIkFLrmmFTjWfb6pQ=",
"owner": "nix-community", "owner": "nix-community",
"repo": "authentik-nix", "repo": "authentik-nix",
"rev": "4c626ed84cc0f1278bfba0f534efd6cba2788d75", "rev": "69fac057b2e553ee17c9a09b822d735823d65a6c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -130,16 +130,16 @@
"authentik-src": { "authentik-src": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1758035356, "lastModified": 1759190535,
"narHash": "sha256-DkvxDwHCfSqEpZ9rRXNR8MP0Mz/y1kHAr38exrHQ39c=", "narHash": "sha256-pIzDaoDWc58cY/XhsyweCwc4dfRvkaT/zqsV1gDSnCI=",
"owner": "goauthentik", "owner": "goauthentik",
"repo": "authentik", "repo": "authentik",
"rev": "680feaefa17934471a6b33ebc35caf5b64120404", "rev": "8d3a289d12c7de2f244c76493af7880f70d08af2",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "goauthentik", "owner": "goauthentik",
"ref": "version/2025.8.3", "ref": "version/2025.8.4",
"repo": "authentik", "repo": "authentik",
"type": "github" "type": "github"
} }
@@ -153,11 +153,11 @@
"rust-overlay": "rust-overlay" "rust-overlay": "rust-overlay"
}, },
"locked": { "locked": {
"lastModified": 1759155412, "lastModified": 1759235653,
"narHash": "sha256-5JMoXMQt0C1SAHzhHwKLIEZ8/Q8f0vqBGxrMnmuOvJg=", "narHash": "sha256-sKFehUxXCzM6E1LcmnRa/O6HKsRI/TGtciG5ulAJt08=",
"owner": "chaotic-cx", "owner": "chaotic-cx",
"repo": "nyx", "repo": "nyx",
"rev": "ae7eac57b8dfc221270bb4f4752a87fe4f17ca11", "rev": "2bf7f138e42fa8b2133761edab64263505cb83bf",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -212,11 +212,11 @@
"rust-analyzer-src": "rust-analyzer-src" "rust-analyzer-src": "rust-analyzer-src"
}, },
"locked": { "locked": {
"lastModified": 1759128018, "lastModified": 1759301100,
"narHash": "sha256-30KHoIXMgyNQULifR1yQ5Sp0vr4tWpGRJXPOTgEzx1A=", "narHash": "sha256-hmiTEoVAqLnn80UkreCNunnRKPucKvcg5T4/CELEtbw=",
"owner": "nix-community", "owner": "nix-community",
"repo": "fenix", "repo": "fenix",
"rev": "5c342209226275f704ab84d89efc80b2d3963517", "rev": "0956bc5d1df2ea800010172c6bc4470d9a22cb81",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -571,11 +571,11 @@
}, },
"hardware": { "hardware": {
"locked": { "locked": {
"lastModified": 1758663926, "lastModified": 1759261527,
"narHash": "sha256-6CFdj7Xs616t1W4jLDH7IohAAvl5Dyib3qEv/Uqw1rk=", "narHash": "sha256-wPd5oGvBBpUEzMF0kWnXge0WITNsITx/aGI9qLHgJ4g=",
"owner": "nixos", "owner": "nixos",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "170ff93c860b2a9868ed1e1102d4e52cb3d934e1", "rev": "e087756cf4abbe1a34f3544c480fc1034d68742f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -590,11 +590,11 @@
"rust-overlay": "rust-overlay_2" "rust-overlay": "rust-overlay_2"
}, },
"locked": { "locked": {
"lastModified": 1758833221, "lastModified": 1759201995,
"narHash": "sha256-c3fpREWUKGonlmV/aesmyRxbJZQypHgXStR7SwdcCo0=", "narHash": "sha256-3STv6fITv8Ar/kl0H7vIA7VV0d2gyLh8UL0BOiVacXg=",
"owner": "helix-editor", "owner": "helix-editor",
"repo": "helix", "repo": "helix",
"rev": "109c812233e442addccf1739dec4406248bd3244", "rev": "bfcbef10c513108c7b43317569416c2eefc4ed44",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -610,11 +610,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1759106866, "lastModified": 1759331616,
"narHash": "sha256-GjLvAl7qxGxKtop6ghasxjQ1biTT7pA+WU45byzMl/4=", "narHash": "sha256-LVpodobJvJM5rmfh2sFBHPNX0PYpNbbHzx/gprlKGGg=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "619ae569293b6427d23cce4854eb4f3c33af3eec", "rev": "5890176f856dcaf55f3ab56b25d4138657531cbd",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -652,11 +652,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1758928860, "lastModified": 1759172751,
"narHash": "sha256-ZqaRdd+KoR54dNJPtd7UX4O0X+02YItnTpQVu28lSVI=", "narHash": "sha256-E8W8sRXfrvkFW26GuuiWq6QfReU7m5+cngwHuRo/3jc=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "bc2afee55bc5d3b825287829d6592b9cc1405aad", "rev": "12fa8548feefa9a10266ba65152fd1a787cdde8f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -803,11 +803,11 @@
"xdph": "xdph" "xdph": "xdph"
}, },
"locked": { "locked": {
"lastModified": 1759148562, "lastModified": 1759318697,
"narHash": "sha256-kPSevFrZv/zmXy0rVhbZr2nQ4nXmt7lnI2/xqGoIVT4=", "narHash": "sha256-iCL/F+rlgzgBfG4QURfjBrxVBMPsXCzZKHXn1SNBshc=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "hyprland", "repo": "hyprland",
"rev": "09596725910aab2a9defed250348aebeee40f842", "rev": "e0c96276df75accc853a30186ae5de580b2c725f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -824,11 +824,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1759123041, "lastModified": 1759238633,
"narHash": "sha256-O3dfYBYhsdjpELmyE1czkQfG2Jzh+pzsKMhPX3QVz80=", "narHash": "sha256-4/AtRCQKXuU49ozZZouWuC+T7vCjQh9HAz3N8Tt5OZE=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "contrib", "repo": "contrib",
"rev": "125043bea28e5f988f4e97250213948667a26b1c", "rev": "513d71d3f42c05d6a38e215382c5a6ce971bd77d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1626,11 +1626,11 @@
"rust-analyzer-src": { "rust-analyzer-src": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1759060464, "lastModified": 1759245522,
"narHash": "sha256-37+iMpZOQ1m9SuOJTBlRK1R0IVPS7e95oQggK82UpLs=", "narHash": "sha256-H4Hx/EuMJ9qi1WzPV4UG2bbZiDCdREtrtDvYcHr0kmk=",
"owner": "rust-lang", "owner": "rust-lang",
"repo": "rust-analyzer", "repo": "rust-analyzer",
"rev": "5c0b555a65cadc14a6a16865c3e065c9d30b0bef", "rev": "a6bc4a4bbe6a65b71cbf76a0cf528c47a8d9f97f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1648,11 +1648,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1758940228, "lastModified": 1759113356,
"narHash": "sha256-sTS04L9LKqzP1oiVXYDwcMzfFSF0DnSJQFzZBpEgLFE=", "narHash": "sha256-xm4kEUcV2jk6u15aHazFP4YsMwhq+PczA+Ul/4FDKWI=",
"owner": "oxalica", "owner": "oxalica",
"repo": "rust-overlay", "repo": "rust-overlay",
"rev": "5bfedf3fbbf5caf8e39f7fcd62238f54d82aa1e2", "rev": "be3b8843a2be2411500f6c052876119485e957a2",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1923,11 +1923,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1759072104, "lastModified": 1759180079,
"narHash": "sha256-2B5RObgBD/ptcC8rO6jI2o+0LWg3iG300wQlBYiyjec=", "narHash": "sha256-5hqTGqAKcLEumY3tqOtHK17CA6RkzS1I0EGKfuoyb58=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "8db6527b42469df2ffd888e79fe15151888bdc0f", "rev": "d4a254b38c7ac2b99931220d767610adfa3a57fe",
"revCount": 134, "revCount": 135,
"type": "git", "type": "git",
"url": "https://git.sr.ht/~canasta/zen-browser-flake" "url": "https://git.sr.ht/~canasta/zen-browser-flake"
}, },

2
hosts/sobotka/modules.nix
View File

@@ -214,7 +214,7 @@
flags = "--performance"; flags = "--performance";
}; };
tailscale = { tailscale = {
enable = true; enable = false;
}; };
udisks = { udisks = {
enable = true; enable = true;

10
modules/server/authentik/default.nix
View File

@@ -54,10 +54,14 @@ in {
authentikEnv = { authentikEnv = {
file = "${self}/secrets/authentikEnv.age"; file = "${self}/secrets/authentikEnv.age";
owner = "authentik"; owner = "authentik";
group = "authentik";
mode = "0400";
}; };
authentikCloudflared = { authentikCloudflared = {
file = "${self}/secrets/authentikCloudflared.age"; file = "${self}/secrets/authentikCloudflared.age";
owner = "authentik"; owner = "authentik";
group = "authentik";
mode = "0400";
}; };
}; };
@@ -65,8 +69,8 @@ in {
fail2ban = lib.mkIf cfg.enable { fail2ban = lib.mkIf cfg.enable {
jails = { jails = {
authentik = { authentik = {
serviceName = "${cfg.url}"; serviceName = "authentik";
failRegex = "^.*Username or password is incorrect. Try again. IP: <HOST>. Username: <F-USER>.*</F-USER>.$"; failRegex = "^.*Username or password is incorrect.*IP:\s*<HOST>";
}; };
}; };
}; };
@@ -99,7 +103,7 @@ in {
middlewares = { middlewares = {
authentik = { authentik = {
forwardAuth = { forwardAuth = {
tls.insecureSkipVerify = true; # tls.insecureSkipVerify = true;
address = "https://localhost:9443/outpost.goauthentik.io/auth/traefik"; address = "https://localhost:9443/outpost.goauthentik.io/auth/traefik";
trustForwardHeader = true; trustForwardHeader = true;
authResponseHeaders = [ authResponseHeaders = [

30
modules/server/fail2ban/default.nix
View File

@@ -4,11 +4,9 @@
config, config,
pkgs, pkgs,
... ...
}: }: let
let
cfg = config.server.fail2ban; cfg = config.server.fail2ban;
in in {
{
options.server.fail2ban = { options.server.fail2ban = {
enable = lib.mkEnableOption { enable = lib.mkEnableOption {
description = "Enable cloudflare fail2ban"; description = "Enable cloudflare fail2ban";
@@ -17,7 +15,7 @@ in
description = "File containing your API key, scoped to Firewall Rules: Edit"; description = "File containing your API key, scoped to Firewall Rules: Edit";
type = lib.types.str; type = lib.types.str;
example = lib.literalExpression '' example = lib.literalExpression ''
Authorization: Bearer Qj06My1wXJEzcW46QCyjFbSMgVtwIGfX63Ki3NOj79o= Authorization: Bearer vH6-p0y=i4w3n7TjKqZ@x8D_lR!A9b2cOezXgUuJdE5F
''' '''
''; '';
}; };
@@ -57,10 +55,11 @@ in
pkgs.jq pkgs.jq
]; ];
jails = lib.attrsets.mapAttrs (name: value: { jails =
lib.attrsets.mapAttrs (name: value: {
settings = { settings = {
bantime = "30d"; bantime = "24h";
findtime = "1h"; findtime = "10m";
enabled = true; enabled = true;
backend = "systemd"; backend = "systemd";
journalmatch = "_SYSTEMD_UNIT=${value.serviceName}.service"; journalmatch = "_SYSTEMD_UNIT=${value.serviceName}.service";
@@ -69,27 +68,26 @@ in
maxretry = 3; maxretry = 3;
action = "cloudflare-token-agenix"; action = "cloudflare-token-agenix";
}; };
}) cfg.jails; })
cfg.jails;
}; };
environment.etc = lib.attrsets.mergeAttrsList [ environment.etc = lib.attrsets.mergeAttrsList [
(lib.attrsets.mapAttrs' ( (lib.attrsets.mapAttrs' (
name: value: name: value: (lib.nameValuePair "fail2ban/filter.d/${name}.conf" {
(lib.nameValuePair "fail2ban/filter.d/${name}.conf" {
text = '' text = ''
[Definition] [Definition]
failregex = ${value.failRegex} failregex = ${value.failRegex}
ignoreregex = ${value.ignoreRegex} ignoreregex = ${value.ignoreRegex}
''; '';
}) })
) cfg.jails) )
cfg.jails)
{ {
"fail2ban/action.d/cloudflare-token-agenix.conf".text = "fail2ban/action.d/cloudflare-token-agenix.conf".text = let
let
notes = "Fail2Ban on ${config.networking.hostName}"; notes = "Fail2Ban on ${config.networking.hostName}";
cfapi = "https://api.cloudflare.com/client/v4/zones/${cfg.zoneId}/firewall/access_rules/rules"; cfapi = "https://api.cloudflare.com/client/v4/zones/${cfg.zoneId}/firewall/access_rules/rules";
in in ''
''
[Definition] [Definition]
actionstart = actionstart =
actionstop = actionstop =

30
modules/server/www/default.nix
View File

@@ -44,9 +44,11 @@ in {
server = { server = {
fail2ban = lib.mkIf config.server.www.enable { fail2ban = lib.mkIf config.server.www.enable {
jails = { jails = {
www = { nginx-404 = {
serviceName = "cnst.dev"; serviceName = "nginx";
failRegex = "^.*Username or password is incorrect. Try again. IP: <HOST>. Username: <F-USER>.*</F-USER>.$"; failRegex = ''^.*\[error\].*directory index of.* is forbidden.*client: <HOST>.*$'';
ignoreRegex = "";
maxRetry = 5;
}; };
}; };
}; };
@@ -64,14 +66,23 @@ in {
virtualHosts."webfinger" = { virtualHosts."webfinger" = {
forceSSL = false; forceSSL = false;
serverName = cfg.url; serverName = cfg.url;
root = "/etc/webfinger"; root = "/var/www/webfinger";
locations."= /.well-known/webfinger" = { locations."= /.well-known/webfinger" = {
root = "/etc/webfinger"; root = "/var/www/webfinger";
extraConfig = '' extraConfig = ''
default_type application/jrd+json; default_type application/jrd+json;
try_files /.well-known/webfinger =404; try_files /.well-known/webfinger =404;
''; '';
}; };
locations."= /robots.txt" = {
root = "/var/www/webfinger";
extraConfig = ''
default_type text/plain;
try_files /robots.txt =404;
'';
};
}; };
}; };
@@ -85,7 +96,8 @@ in {
}; };
}; };
environment.etc."webfinger/.well-known/webfinger".text = '' environment.etc = {
"webfinger/.well-known/webfinger".text = ''
{ {
"subject": "acct:adam@${cfg.url}", "subject": "acct:adam@${cfg.url}",
"links": [ "links": [
@@ -97,6 +109,12 @@ in {
} }
''; '';
"webfinger/robots.txt".text = ''
User-agent: *
Disallow: /
'';
};
services.traefik.dynamicConfigOptions.http = { services.traefik.dynamicConfigOptions.http = {
routers.webfinger = { routers.webfinger = {
entryPoints = ["websecure"]; entryPoints = ["websecure"];