cleaned up config

configuration.nix

@@ -23,8 +23,8 @@
     ./modules/git.nix
     ./modules/nix-settings.nix
     ./modules/zfs.nix
+    ./modules/microvm.nix
 
-    (import ./modules/microvm.nix {routed = true;})
     (import ./modules/networking-shared.nix {hostname = "server";})
     (import ./modules/users.nix {main-user = "baritone";})
   ];
@@ -39,21 +39,11 @@
   # Enable microcode updates
   hardware.enableRedistributableFirmware = true;
 
-  # programs.zsh = {
-  #   enable = true;
-  #   enableGlobalCompInit = true;
-  #   shellAliases = {
-  #     "nrb" = "sudo nixos-rebuild switch --flake /etc/nixos";
-  #   };
-  # };
-
   environment.systemPackages = with pkgs; [
     wget
     curl
     git
     vim
-
-    inputs.agenix.packages."${system}".default
   ];
 
   programs.nano.enable = false;

modules/age.nix

@@ -1,8 +1,15 @@
-{config, ...}: {
+{
+  config,
+  pkgs,
+  inputs,
+  ...
+}: {
   age.identityPaths = [
     "/home/baritone/.ssh/id_ed25519"
   ];
   age.secrets = {
     forgejo-runner-token.file = ../secrets/forgejo-runner-token.age;
   };
+
+  environment.systemPackages = [inputs.agenix.packages."${pkgs.system}".default];
 }

modules/microvm.nix

@@ -1,4 +1,4 @@
-{routed ? false}: {
+{
   pkgs,
   config,
   ...

modules/zfs.nix

@@ -8,8 +8,4 @@
   environment.systemPackages = with pkgs; [
     zfs
   ];
-
-  # Microvm be fucking shit up
-  # fileSystems."/nix/store".fsType = lib.mkForce "zfs";
-  # fileSystems."/nix/store".device = lib.mkForce "zroot/nix/store";
 }

services/auto-torrent.nix

@@ -23,7 +23,10 @@
   ports-list = (pkgs.lib.attrsets.mapAttrsToList (name: value: value.port) ports) ++ [9091];
 in {
   microvm.autostart = [vm-name];
-  imports = [./nginx.nix];
+  imports = [
+    ./nginx.nix
+    ../modules/microvm.nix
+  ];
 
   users.extraUsers.microvm.extraGroups = [
     "jellyfin" # access to media folder

services/fail2ban.nix

@@ -3,8 +3,34 @@
   lib,
   config,
   ...
-}: {
-  services.fail2ban = {
+}: let
+  jails = {
+    forgejo = mkJail "forgejo" "^.*Failed authentication attempt for .* from <ADDR>.*$";
+    jellyfin = mkJail "jellyfin" "^.*Authentication request for .* has been denied \\(IP: <ADDR>\\)\\.";
+    sonarr = mkJail "sonarr" "^.*Auth-Failure ip <ADDR> username.*$";
+    radarr = mkJail "sonarr" "^.*Auth-Failure ip <ADDR> username.*$";
+    vaultwarden = mkJail "vaultwarden" "^.*Username or password is incorrect. Try again. IP: <ADDR>\\. Username: .*$";
+  };
+
+  mkJail = name: filter: {
+    jail.settings = {
+      enabled = true;
+      filter = name;
+      backend = "systemd";
+      port = "80,443";
+      maxretry = 8;
+      bantime = "24h";
+      findtime = "30m";
+      journalmatch = "_SYSTEMD_UNIT=${name}.service";
+    };
+    filter = ''
+      [Definition]
+      failregex = ${filter}
+    '';
+  };
+in {
+  services.fail2ban = let
+  in {
     enable = true;
 
     bantime = "24h";
@@ -15,106 +41,34 @@
       overalljails = true;
     };
 
-    jails = {
-      dovecot = lib.mkIf config.services.dovecot2.enable {
-        settings = {
-          # block IPs which failed to log-in
-          # aggressive mode add blocking for aborted connections
-          filter = "dovecot[mode=aggressive]";
-          maxretry = 3;
+    jails =
+      {
+        dovecot = lib.mkIf config.services.dovecot2.enable {
+          settings = {
+            # block IPs which failed to log-in
+            # aggressive mode add blocking for aborted connections
+            filter = "dovecot[mode=aggressive]";
+            maxretry = 3;
+          };
         };
-      };
-
-      jellyfin = lib.mkIf config.services.jellyfin.enable {
-        settings = {
-          filter = "jellyfin";
-          backend = "systemd";
-          enabled = true;
-          port = "80,443";
-          maxretry = 8;
-          bantime = "24h";
-          findtime = "30m";
-          journalmatch = "_SYSTEMD_UNIT=jellyfin.service";
-        };
-      };
-
-      forgejo = lib.mkIf config.services.forgejo.enable {
-        settings = {
-          filter = "forgejo";
-          backend = "systemd";
-          enabled = true;
-          port = "80,443";
-          maxretry = 8;
-          bantime = "24h";
-          findtime = "30m";
-          journalmatch = "_SYSTEMD_UNIT=forgejo.service";
-        };
-      };
-
-      sonarr = lib.mkIf (config.microvm.vms."auto-torrent" != null) {
-        settings = {
-          filter = "arr";
-          backend = "auto";
-          enabled = true;
-          port = "80,443";
-          maxretry = 8;
-          bantime = "24h";
-          findtime = "30m";
-          logpath = "/var/lib/auto-torrent/sonarr/logs/*.txt";
-        };
-      };
-      radarr = lib.mkIf (config.microvm.vms."auto-torrent" != null) {
-        settings = {
-          filter = "arr";
-          backend = "auto";
-          enabled = true;
-          port = "80,443";
-          maxretry = 8;
-          bantime = "24h";
-          findtime = "30m";
-          logpath = "/var/lib/auto-torrent/radarr/logs/*.txt";
-        };
-      };
-      vaultwarden = lib.mkIf config.services.vaultwarden.enable {
-        settings = {
-          filter = "vaultwarden";
-          backend = "systemd";
-          enabled = true;
-          port = "80,443";
-          maxretry = 8;
-          bantime = "24h";
-          findtime = "30m";
-          journalmatch = "_SYSTEMD_UNIT=vaultwarden.service";
-        };
-      };
-    };
+      }
+      // (lib.attrsets.mapAttrs (name: value: value.jail) jails);
   };
 
-  environment.etc = {
-    # Jellyfin
-    "fail2ban/filter.d/jellyfin.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
-      [Definition]
-      failregex = ^.*Authentication request for .* has been denied \(IP: <ADDR>\)\.
-    '');
-    # Forgejo
-    "fail2ban/filter.d/forgejo.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
-      [Definition]
-      failregex = ^.*Failed authentication attempt for .* from <ADDR>.*$
-    '');
-    # *arr
-    "fail2ban/filter.d/arr.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
-      [Definition]
-      failregex = ^.*Auth-Failure ip <ADDR> username.*$
-    '');
-    # Vaultwarden
-    "fail2ban/filter.d/vaultwarden.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
-      [Definition]
-      failregex = ^.*Username or password is incorrect. Try again. IP: <ADDR>\. Username: .*$
-    '');
-    # Defines a filter that detects URL probing by reading the Nginx access log
-    "fail2ban/filter.d/nginx-url-probe.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
-      [Definition]
-      failregex = ^<HOST>.*(GET /(wp-|admin|boaform|phpmyadmin|\.env|\.git)|\.(dll|so|cfm|asp)|(\?|&)(=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000|=PHPE9568F36-D428-11d2-A769-00AA001ACF42|=PHPE9568F35-D428-11d2-A769-00AA001ACF42|=PHPE9568F34-D428-11d2-A769-00AA001ACF42)|\\x[0-9a-zA-Z]{2})
-    '');
-  };
+  environment.etc =
+    {
+      # Defines a filter that detects URL probing by reading the Nginx access log
+      "fail2ban/filter.d/nginx-url-probe.local".text = lib.mkDefault (lib.mkAfter ''
+        [Definition]
+        failregex = ^<HOST>.*(GET /(wp-|admin|boaform|phpmyadmin|\.env|\.git)|\.(dll|so|cfm|asp)|(\?|&)(=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000|=PHPE9568F36-D428-11d2-A769-00AA001ACF42|=PHPE9568F35-D428-11d2-A769-00AA001ACF42|=PHPE9568F34-D428-11d2-A769-00AA001ACF42)|\\x[0-9a-zA-Z]{2})
+      '');
+    }
+    // (with lib.attrsets;
+      mapAttrs' (
+        name: value:
+          nameValuePair
+          "fail2ban/filter.d/${name}.local"
+          {text = lib.mkDefault (lib.mkAfter value.filter);}
+      )
+      jails);
 }

services/gitea-actions-runner.nix

@@ -3,7 +3,10 @@
   pkgs,
   ...
 }: {
-  imports = [./docker.nix];
+  imports = [
+    ./docker.nix
+    ../modules/age.nix
+  ];
   services.gitea-actions-runner = {
     package = pkgs.forgejo-runner;
     instances = {