broken 2

chore(revert): slowly introducing changes
feat(authentik): fixing some fail2ban things
2025-10-05 10:02:39 +02:00 · 2025-10-05 09:27:51 +02:00 · 2025-10-02 05:45:35 +02:00 · 2025-10-01 18:00:55 +02:00 · 2025-09-30 18:16:49 +02:00
9 changed files with 118 additions and 101 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -212,11 +212,11 @@
        "rust-analyzer-src": "rust-analyzer-src"
      },
      "locked": {
-        "lastModified": 1759560021,
+        "lastModified": 1759646430,
-        "narHash": "sha256-J/rtMKVUAEqOFj0ogvcHKK8HbaKhw+tiNrDOpEM+ZDY=",
+        "narHash": "sha256-V8mjmGzi9nS7BZfhpzYAOUg3BcCsC6MrEh9xlKq3+7s=",
        "owner": "nix-community",
        "repo": "fenix",
-        "rev": "6ffcbf59c119b0c6384c7d98f18cea06a9af7e9c",
+        "rev": "b326bea4d58c9a58b346f17c710538eac00f71d1",
        "type": "github"
      },
      "original": {
@@ -590,11 +590,11 @@
        "rust-overlay": "rust-overlay_2"
      },
      "locked": {
-        "lastModified": 1759201995,
+        "lastModified": 1759605748,
-        "narHash": "sha256-3STv6fITv8Ar/kl0H7vIA7VV0d2gyLh8UL0BOiVacXg=",
+        "narHash": "sha256-qALSaIE4fbTo0wbPjEp7RZKbtFk1cDhRZ0BYOHW0JwQ=",
        "owner": "helix-editor",
        "repo": "helix",
-        "rev": "bfcbef10c513108c7b43317569416c2eefc4ed44",
+        "rev": "6fffaf6a7ded9a12fb2d5715a4eb83787a5e6402",
        "type": "github"
      },
      "original": {
@@ -824,11 +824,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1759238633,
+        "lastModified": 1759613406,
-        "narHash": "sha256-4/AtRCQKXuU49ozZZouWuC+T7vCjQh9HAz3N8Tt5OZE=",
+        "narHash": "sha256-PzgQJydp+RlKvwDi807pXPlURdIAVqLppZDga3DwPqg=",
        "owner": "hyprwm",
        "repo": "contrib",
-        "rev": "513d71d3f42c05d6a38e215382c5a6ce971bd77d",
+        "rev": "32e1a75b65553daefb419f0906ce19e04815aa3a",
        "type": "github"
      },
      "original": {
@@ -1278,11 +1278,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1759455985,
+        "lastModified": 1759629535,
-        "narHash": "sha256-8qDv7NXH3fj1CDXed7c7vJLtrRKDZSo0x6TaWSfelVg=",
+        "narHash": "sha256-VIXcJ2ahRgoqIUySwAz3r5mtITO2dp6tXGCVKVW6FmA=",
        "owner": "fufexan",
        "repo": "nix-gaming",
-        "rev": "eb5ab503cbd3cb386e8d85a55a9faed73ec7dc37",
+        "rev": "df388c42b54714bd121796a9cec9322b7fa2894e",
        "type": "github"
      },
      "original": {
@@ -1626,11 +1626,11 @@
    "rust-analyzer-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1759301569,
+        "lastModified": 1759601486,
-        "narHash": "sha256-7StxDed3v2fAWLkl+Hse9FlpjT7Dk7Cn/4vxTFyEhIg=",
+        "narHash": "sha256-ZywfLIFtRr907us1tONwUJLeg3ssO4D01XBFHx7RdAo=",
        "owner": "rust-lang",
        "repo": "rust-analyzer",
-        "rev": "472037b789cf593172d6adf3b8d9f7a429f6cd9b",
+        "rev": "4ae99f0150c94f4bdf7192b4447f512ece3546fd",
        "type": "github"
      },
      "original": {
--- a/hosts/kima/modules.nix
+++ b/hosts/kima/modules.nix
@@ -216,7 +216,7 @@
        flags = "--performance";
      };
      tailscale = {
-        enable = true;
+        enable = false;
      };
      udisks = {
        enable = true;
--- a/hosts/sobotka/modules.nix
+++ b/hosts/sobotka/modules.nix
@@ -214,7 +214,7 @@
        flags = "--performance";
      };
      tailscale = {
-        enable = true;
+        enable = false;
      };
      udisks = {
        enable = true;
--- a/modules/server/authentik/default.nix
+++ b/modules/server/authentik/default.nix
@@ -54,10 +54,14 @@ in {
      authentikEnv = {
        file = "${self}/secrets/authentikEnv.age";
        owner = "authentik";
        group = "authentik";
        mode = "0400";
      };
      authentikCloudflared = {
        file = "${self}/secrets/authentikCloudflared.age";
        owner = "authentik";
        group = "authentik";
        mode = "0400";
      };
    };
@@ -65,8 +69,8 @@ in {
      fail2ban = lib.mkIf cfg.enable {
        jails = {
          authentik = {
-            serviceName = "${cfg.url}";
+            serviceName = "authentik";
-            failRegex = "^.*Username or password is incorrect. Try again. IP: <HOST>. Username: <F-USER>.*</F-USER>.$";
+            failRegex = "^.*Username or password is incorrect.*IP:\s*<HOST>";
          };
        };
      };
@@ -99,7 +103,7 @@ in {
            middlewares = {
              authentik = {
                forwardAuth = {
-                  tls.insecureSkipVerify = true;
+                  # tls.insecureSkipVerify = true;
                  address = "https://localhost:9443/outpost.goauthentik.io/auth/traefik";
                  trustForwardHeader = true;
                  authResponseHeaders = [
@@ -115,6 +119,7 @@ in {
                    "X-authentik-meta-app"
                    "X-authentik-meta-version"
                  ];
                  timeout = "10s";
                };
              };
            };
--- a/modules/server/fail2ban/default.nix
+++ b/modules/server/fail2ban/default.nix
@@ -4,11 +4,9 @@
  config,
  pkgs,
  ...
-}:
+}: let
 let
  cfg = config.server.fail2ban;
-in
+in {
 {
  options.server.fail2ban = {
    enable = lib.mkEnableOption {
      description = "Enable cloudflare fail2ban";
@@ -17,7 +15,7 @@ in
      description = "File containing your API key, scoped to Firewall Rules: Edit";
      type = lib.types.str;
      example = lib.literalExpression ''
-        Authorization: Bearer Qj06My1wXJEzcW46QCyjFbSMgVtwIGfX63Ki3NOj79o=
+        Authorization: Bearer vH6-p0y=i4w3n7TjKqZ@x8D_lR!A9b2cOezXgUuJdE5F
        '''
      '';
    };
@@ -57,10 +55,11 @@ in
        pkgs.jq
      ];
-      jails = lib.attrsets.mapAttrs (name: value: {
+      jails =
        lib.attrsets.mapAttrs (name: value: {
          settings = {
-          bantime = "30d";
+            bantime = "24h";
-          findtime = "1h";
+            findtime = "10m";
            enabled = true;
            backend = "systemd";
            journalmatch = "_SYSTEMD_UNIT=${value.serviceName}.service";
@@ -69,27 +68,26 @@ in
            maxretry = 3;
            action = "cloudflare-token-agenix";
          };
-      }) cfg.jails;
+        })
        cfg.jails;
    };
    environment.etc = lib.attrsets.mergeAttrsList [
      (lib.attrsets.mapAttrs' (
-        name: value:
+          name: value: (lib.nameValuePair "fail2ban/filter.d/${name}.conf" {
        (lib.nameValuePair "fail2ban/filter.d/${name}.conf" {
            text = ''
              [Definition]
              failregex = ${value.failRegex}
              ignoreregex = ${value.ignoreRegex}
            '';
          })
-      ) cfg.jails)
+        )
        cfg.jails)
      {
-        "fail2ban/action.d/cloudflare-token-agenix.conf".text =
+        "fail2ban/action.d/cloudflare-token-agenix.conf".text = let
          let
          notes = "Fail2Ban on ${config.networking.hostName}";
          cfapi = "https://api.cloudflare.com/client/v4/zones/${cfg.zoneId}/firewall/access_rules/rules";
-          in
+        in ''
          ''
          [Definition]
          actionstart =
          actionstop =
--- a/modules/server/www/default.nix
+++ b/modules/server/www/default.nix
@@ -4,11 +4,18 @@
  pkgs,
  self,
  ...
-}: let
+}:
-  inherit (lib) mkOption mkEnableOption mkIf types;
+let
  inherit (lib)
    mkOption
    mkEnableOption
    mkIf
    types
    ;
  cfg = config.server.www;
  srv = config.server;
-in {
+in
 {
  options.server.www = {
    enable = mkEnableOption {
      description = "Enable personal website";
@@ -44,9 +51,11 @@ in {
    server = {
      fail2ban = lib.mkIf config.server.www.enable {
        jails = {
-          www = {
+          nginx-404 = {
-            serviceName = "cnst.dev";
+            serviceName = "nginx";
-            failRegex = "^.*Username or password is incorrect. Try again. IP: <HOST>. Username: <F-USER>.*</F-USER>.$";
+            failRegex = ''^.*\[error\].*directory index of.* is forbidden.*client: <HOST>.*$'';
            ignoreRegex = "";
            maxRetry = 5;
          };
        };
      };
@@ -64,14 +73,23 @@ in {
        virtualHosts."webfinger" = {
          forceSSL = false;
          serverName = cfg.url;
-          root = "/etc/webfinger";
+          root = "/var/www/webfinger";
          locations."= /.well-known/webfinger" = {
-            root = "/etc/webfinger";
+            root = "/var/www/webfinger";
            extraConfig = ''
              default_type application/jrd+json;
              try_files /.well-known/webfinger =404;
            '';
          };
          locations."= /robots.txt" = {
            root = "/var/www/webfinger";
            extraConfig = ''
              default_type text/plain;
              try_files /robots.txt =404;
            '';
          };
        };
      };
@@ -85,7 +103,8 @@ in {
      };
    };
-    environment.etc."webfinger/.well-known/webfinger".text = ''
+    environment.etc = {
      "webfinger/.well-known/webfinger".text = ''
        {
          "subject": "acct:adam@${cfg.url}",
          "links": [
@@ -97,6 +116,12 @@ in {
        }
      '';
      "webfinger/robots.txt".text = ''
        User-agent: *
        Disallow: /
      '';
    };
    services.traefik.dynamicConfigOptions.http = {
      routers.webfinger = {
        entryPoints = [ "websecure" ];
--- a/secrets/nginxEnv.age
+++ b/secrets/nginxEnv.age
@@ -1,11 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 t9iOEg pfPhWigjvnJ5tfVv8qPpk3VYvLH9I01HVVbpu+r2NjY
 Kaj8aZv+9pSYjwoE7EHWGHfsZIPFZOgUVaKf8VxWKcQ
 -> ssh-ed25519 KUYMFA 9Xy82Cl3HUQcFDcJMxxnnIfLOngW8xLfVE0S1wRliGg
 mOOcyJp5+ZqFwdkZkHC63+cMA0ToGcuI6kqMjAJ9jJk
 -> ssh-ed25519 76RhUQ +OvUSQwpy6+xxlom8bJFn8CBdSKECa9YY0U+YYNYdGM
 MWfmfGzd6/lOPvggUG8uJgBAp1CTqSdk+NDkk7vSQEQ
 -> ssh-ed25519 Jf8sqw jQR/wT/+f63cJdFzR/Ogw6pdiYXoyVNu1+UCni2BYSM
 Iicwg/XJJskvWFmAbxFDh3gSJyjid5fw9JXmDJPhzkU
 --- xK8vBWioTgSDPHkKh7SJxstCzYtUSmTz6QuN/+niFME
 <08><>f<<3C>`VR<56><52>p<><70>)>|<7C>+aئI<D8A6>g<08><0B><><EFBFBD><EFBFBD><EFBFBD><19><>x<EFBFBD><78>HH+<2B>緭<EFBFBD><E7B7AD>o>$4H<><48><EFBFBD>缂<EFBFBD>B?<3F>l6TSqμ<71>Ǿ<EFBFBD><C7BE>Kj-l
--- a/secrets/traefikEnv.age
+++ b/secrets/traefikEnv.age
--- a/users/cnst/modules/kimamod.nix
+++ b/users/cnst/modules/kimamod.nix
@@ -11,7 +11,7 @@
        enable = true;
      };
      chromium = {
-        enable = true;
+        enable = false;
      };
      discord = {
        enable = true;
Author	SHA1	Message	Date
cnst	d53bf7546a	broken 2	2025-10-05 10:02:39 +02:00
cnst	c9edc99a85	chore(revert): slowly introducing changes	2025-10-05 09:27:51 +02:00
cnst	67e83e3e4e	feat(authentik): fixing some fail2ban things	2025-10-02 05:45:35 +02:00
cnst	923c810972	feat(authentik): fixing some fail2ban things	2025-10-01 18:00:55 +02:00
cnst	6ab35f4e91	feat(www): fixing fail2ban and other minor tweaks	2025-09-30 18:16:49 +02:00