cnst/cnix
1
0
Fork 0
Code Issues Pull Requests Activity

Compare commits

base: cnst:revert
Branches Tags
cnst:main cnst:monitors cnst:working cnst:compare_broken cnst:revert cnst:broken
...
compare: cnst:67e83e3e4e2c6813623a31cf0bed8408e63cc6ab
Branches Tags
cnst:main cnst:monitors cnst:working cnst:compare_broken cnst:revert cnst:broken

3 Commits
revert ... 67e83e3e4e

Author SHA1 Message Date
cnst
67e83e3e4e feat(authentik): fixing some fail2ban things 2025-10-02 05:45:35 +02:00
cnst
923c810972 feat(authentik): fixing some fail2ban things 2025-10-01 18:00:55 +02:00
cnst
6ab35f4e91 feat(www): fixing fail2ban and other minor tweaks 2025-09-30 18:16:49 +02:00
5 changed files with 129 additions and 109 deletions
Expand all files Collapse all files

82
flake.lock generated
View File

@@ -114,11 +114,11 @@
"uv2nix": "uv2nix"
},
"locked": {
"lastModified": 1758177015,
"narHash": "sha256-PCUWdbaxayY3YfSjVlyddBMYoGvSaRysd5AmZ8gqSFs=",
"lastModified": 1759322529,
"narHash": "sha256-yiv/g/tiJI3PI95F7vhTnaf1TDsIkFLrmmFTjWfb6pQ=",
"owner": "nix-community",
"repo": "authentik-nix",
"rev": "4c626ed84cc0f1278bfba0f534efd6cba2788d75",
"rev": "69fac057b2e553ee17c9a09b822d735823d65a6c",
"type": "github"
},
"original": {
@@ -130,16 +130,16 @@
"authentik-src": {
"flake": false,
"locked": {
"lastModified": 1758035356,
"narHash": "sha256-DkvxDwHCfSqEpZ9rRXNR8MP0Mz/y1kHAr38exrHQ39c=",
"lastModified": 1759190535,
"narHash": "sha256-pIzDaoDWc58cY/XhsyweCwc4dfRvkaT/zqsV1gDSnCI=",
"owner": "goauthentik",
"repo": "authentik",
"rev": "680feaefa17934471a6b33ebc35caf5b64120404",
"rev": "8d3a289d12c7de2f244c76493af7880f70d08af2",
"type": "github"
},
"original": {
"owner": "goauthentik",
"ref": "version/2025.8.3",
"ref": "version/2025.8.4",
"repo": "authentik",
"type": "github"
}
@@ -153,11 +153,11 @@
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1759155412,
"narHash": "sha256-5JMoXMQt0C1SAHzhHwKLIEZ8/Q8f0vqBGxrMnmuOvJg=",
"lastModified": 1759235653,
"narHash": "sha256-sKFehUxXCzM6E1LcmnRa/O6HKsRI/TGtciG5ulAJt08=",
"owner": "chaotic-cx",
"repo": "nyx",
"rev": "ae7eac57b8dfc221270bb4f4752a87fe4f17ca11",
"rev": "2bf7f138e42fa8b2133761edab64263505cb83bf",
"type": "github"
},
"original": {
@@ -212,11 +212,11 @@
"rust-analyzer-src": "rust-analyzer-src"
},
"locked": {
"lastModified": 1759128018,
"narHash": "sha256-30KHoIXMgyNQULifR1yQ5Sp0vr4tWpGRJXPOTgEzx1A=",
"lastModified": 1759301100,
"narHash": "sha256-hmiTEoVAqLnn80UkreCNunnRKPucKvcg5T4/CELEtbw=",
"owner": "nix-community",
"repo": "fenix",
"rev": "5c342209226275f704ab84d89efc80b2d3963517",
"rev": "0956bc5d1df2ea800010172c6bc4470d9a22cb81",
"type": "github"
},
"original": {
@@ -571,11 +571,11 @@
},
"hardware": {
"locked": {
"lastModified": 1758663926,
"narHash": "sha256-6CFdj7Xs616t1W4jLDH7IohAAvl5Dyib3qEv/Uqw1rk=",
"lastModified": 1759261527,
"narHash": "sha256-wPd5oGvBBpUEzMF0kWnXge0WITNsITx/aGI9qLHgJ4g=",
"owner": "nixos",
"repo": "nixos-hardware",
"rev": "170ff93c860b2a9868ed1e1102d4e52cb3d934e1",
"rev": "e087756cf4abbe1a34f3544c480fc1034d68742f",
"type": "github"
},
"original": {
@@ -590,11 +590,11 @@
"rust-overlay": "rust-overlay_2"
},
"locked": {
"lastModified": 1758833221,
"narHash": "sha256-c3fpREWUKGonlmV/aesmyRxbJZQypHgXStR7SwdcCo0=",
"lastModified": 1759201995,
"narHash": "sha256-3STv6fITv8Ar/kl0H7vIA7VV0d2gyLh8UL0BOiVacXg=",
"owner": "helix-editor",
"repo": "helix",
"rev": "109c812233e442addccf1739dec4406248bd3244",
"rev": "bfcbef10c513108c7b43317569416c2eefc4ed44",
"type": "github"
},
"original": {
@@ -610,11 +610,11 @@
]
},
"locked": {
"lastModified": 1759106866,
"narHash": "sha256-GjLvAl7qxGxKtop6ghasxjQ1biTT7pA+WU45byzMl/4=",
"lastModified": 1759331616,
"narHash": "sha256-LVpodobJvJM5rmfh2sFBHPNX0PYpNbbHzx/gprlKGGg=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "619ae569293b6427d23cce4854eb4f3c33af3eec",
"rev": "5890176f856dcaf55f3ab56b25d4138657531cbd",
"type": "github"
},
"original": {
@@ -652,11 +652,11 @@
]
},
"locked": {
"lastModified": 1758928860,
"narHash": "sha256-ZqaRdd+KoR54dNJPtd7UX4O0X+02YItnTpQVu28lSVI=",
"lastModified": 1759172751,
"narHash": "sha256-E8W8sRXfrvkFW26GuuiWq6QfReU7m5+cngwHuRo/3jc=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "bc2afee55bc5d3b825287829d6592b9cc1405aad",
"rev": "12fa8548feefa9a10266ba65152fd1a787cdde8f",
"type": "github"
},
"original": {
@@ -803,11 +803,11 @@
"xdph": "xdph"
},
"locked": {
"lastModified": 1759148562,
"narHash": "sha256-kPSevFrZv/zmXy0rVhbZr2nQ4nXmt7lnI2/xqGoIVT4=",
"lastModified": 1759318697,
"narHash": "sha256-iCL/F+rlgzgBfG4QURfjBrxVBMPsXCzZKHXn1SNBshc=",
"owner": "hyprwm",
"repo": "hyprland",
"rev": "09596725910aab2a9defed250348aebeee40f842",
"rev": "e0c96276df75accc853a30186ae5de580b2c725f",
"type": "github"
},
"original": {
@@ -824,11 +824,11 @@
]
},
"locked": {
"lastModified": 1759123041,
"narHash": "sha256-O3dfYBYhsdjpELmyE1czkQfG2Jzh+pzsKMhPX3QVz80=",
"lastModified": 1759238633,
"narHash": "sha256-4/AtRCQKXuU49ozZZouWuC+T7vCjQh9HAz3N8Tt5OZE=",
"owner": "hyprwm",
"repo": "contrib",
"rev": "125043bea28e5f988f4e97250213948667a26b1c",
"rev": "513d71d3f42c05d6a38e215382c5a6ce971bd77d",
"type": "github"
},
"original": {
@@ -1626,11 +1626,11 @@
"rust-analyzer-src": {
"flake": false,
"locked": {
"lastModified": 1759060464,
"narHash": "sha256-37+iMpZOQ1m9SuOJTBlRK1R0IVPS7e95oQggK82UpLs=",
"lastModified": 1759245522,
"narHash": "sha256-H4Hx/EuMJ9qi1WzPV4UG2bbZiDCdREtrtDvYcHr0kmk=",
"owner": "rust-lang",
"repo": "rust-analyzer",
"rev": "5c0b555a65cadc14a6a16865c3e065c9d30b0bef",
"rev": "a6bc4a4bbe6a65b71cbf76a0cf528c47a8d9f97f",
"type": "github"
},
"original": {
@@ -1648,11 +1648,11 @@
]
},
"locked": {
"lastModified": 1758940228,
"narHash": "sha256-sTS04L9LKqzP1oiVXYDwcMzfFSF0DnSJQFzZBpEgLFE=",
"lastModified": 1759113356,
"narHash": "sha256-xm4kEUcV2jk6u15aHazFP4YsMwhq+PczA+Ul/4FDKWI=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "5bfedf3fbbf5caf8e39f7fcd62238f54d82aa1e2",
"rev": "be3b8843a2be2411500f6c052876119485e957a2",
"type": "github"
},
"original": {
@@ -1923,11 +1923,11 @@
]
},
"locked": {
"lastModified": 1759072104,
"narHash": "sha256-2B5RObgBD/ptcC8rO6jI2o+0LWg3iG300wQlBYiyjec=",
"lastModified": 1759180079,
"narHash": "sha256-5hqTGqAKcLEumY3tqOtHK17CA6RkzS1I0EGKfuoyb58=",
"ref": "refs/heads/main",
"rev": "8db6527b42469df2ffd888e79fe15151888bdc0f",
"revCount": 134,
"rev": "d4a254b38c7ac2b99931220d767610adfa3a57fe",
"revCount": 135,
"type": "git",
"url": "https://git.sr.ht/~canasta/zen-browser-flake"
},

2
hosts/sobotka/modules.nix
View File

@@ -214,7 +214,7 @@
flags = "--performance";
};
tailscale = {
enable = true;
enable = false;
};
udisks = {
enable = true;

10
modules/server/authentik/default.nix
View File

@@ -54,10 +54,14 @@ in {
authentikEnv = {
file = "${self}/secrets/authentikEnv.age";
owner = "authentik";
group = "authentik";
mode = "0400";
};
authentikCloudflared = {
file = "${self}/secrets/authentikCloudflared.age";
owner = "authentik";
group = "authentik";
mode = "0400";
};
};
@@ -65,8 +69,8 @@ in {
fail2ban = lib.mkIf cfg.enable {
jails = {
authentik = {
serviceName = "${cfg.url}";
failRegex = "^.*Username or password is incorrect. Try again. IP: <HOST>. Username: <F-USER>.*</F-USER>.$";
serviceName = "authentik";
failRegex = "^.*Username or password is incorrect.*IP:\s*<HOST>";
};
};
};
@@ -99,7 +103,7 @@ in {
middlewares = {
authentik = {
forwardAuth = {
tls.insecureSkipVerify = true;
# tls.insecureSkipVerify = true;
address = "https://localhost:9443/outpost.goauthentik.io/auth/traefik";
trustForwardHeader = true;
authResponseHeaders = [

30
modules/server/fail2ban/default.nix
View File

@@ -4,11 +4,9 @@
config,
pkgs,
...
}:
let
}: let
cfg = config.server.fail2ban;
in
{
in {
options.server.fail2ban = {
enable = lib.mkEnableOption {
description = "Enable cloudflare fail2ban";
@@ -17,7 +15,7 @@ in
description = "File containing your API key, scoped to Firewall Rules: Edit";
type = lib.types.str;
example = lib.literalExpression ''
Authorization: Bearer Qj06My1wXJEzcW46QCyjFbSMgVtwIGfX63Ki3NOj79o=
Authorization: Bearer vH6-p0y=i4w3n7TjKqZ@x8D_lR!A9b2cOezXgUuJdE5F
'''
'';
};
@@ -57,10 +55,11 @@ in
pkgs.jq
];
jails = lib.attrsets.mapAttrs (name: value: {
jails =
lib.attrsets.mapAttrs (name: value: {
settings = {
bantime = "30d";
findtime = "1h";
bantime = "24h";
findtime = "10m";
enabled = true;
backend = "systemd";
journalmatch = "_SYSTEMD_UNIT=${value.serviceName}.service";
@@ -69,27 +68,26 @@ in
maxretry = 3;
action = "cloudflare-token-agenix";
};
}) cfg.jails;
})
cfg.jails;
};
environment.etc = lib.attrsets.mergeAttrsList [
(lib.attrsets.mapAttrs' (
name: value:
(lib.nameValuePair "fail2ban/filter.d/${name}.conf" {
name: value: (lib.nameValuePair "fail2ban/filter.d/${name}.conf" {
text = ''
[Definition]
failregex = ${value.failRegex}
ignoreregex = ${value.ignoreRegex}
'';
})
) cfg.jails)
)
cfg.jails)
{
"fail2ban/action.d/cloudflare-token-agenix.conf".text =
let
"fail2ban/action.d/cloudflare-token-agenix.conf".text = let
notes = "Fail2Ban on ${config.networking.hostName}";
cfapi = "https://api.cloudflare.com/client/v4/zones/${cfg.zoneId}/firewall/access_rules/rules";
in
''
in ''
[Definition]
actionstart =
actionstop =

30
modules/server/www/default.nix
View File

@@ -44,9 +44,11 @@ in {
server = {
fail2ban = lib.mkIf config.server.www.enable {
jails = {
www = {
serviceName = "cnst.dev";
failRegex = "^.*Username or password is incorrect. Try again. IP: <HOST>. Username: <F-USER>.*</F-USER>.$";
nginx-404 = {
serviceName = "nginx";
failRegex = ''^.*\[error\].*directory index of.* is forbidden.*client: <HOST>.*$'';
ignoreRegex = "";
maxRetry = 5;
};
};
};
@@ -64,14 +66,23 @@ in {
virtualHosts."webfinger" = {
forceSSL = false;
serverName = cfg.url;
root = "/etc/webfinger";
root = "/var/www/webfinger";
locations."= /.well-known/webfinger" = {
root = "/etc/webfinger";
root = "/var/www/webfinger";
extraConfig = ''
default_type application/jrd+json;
try_files /.well-known/webfinger =404;
'';
};
locations."= /robots.txt" = {
root = "/var/www/webfinger";
extraConfig = ''
default_type text/plain;
try_files /robots.txt =404;
'';
};
};
};
@@ -85,7 +96,8 @@ in {
};
};
environment.etc."webfinger/.well-known/webfinger".text = ''
environment.etc = {
"webfinger/.well-known/webfinger".text = ''
{
"subject": "acct:adam@${cfg.url}",
"links": [
@@ -97,6 +109,12 @@ in {
}
'';
"webfinger/robots.txt".text = ''
User-agent: *
Disallow: /
'';
};
services.traefik.dynamicConfigOptions.http = {
routers.webfinger = {
entryPoints = ["websecure"];