From 3aadbea0ec0ba5717bc3c014cd744accef74f8b6 Mon Sep 17 00:00:00 2001
From: Peder Bergebakken Sundt <pbsds@hotmail.com>
Date: Sun, 15 Jun 2025 02:14:37 +0200
Subject: [PATCH] ljdsalkjdsalkj

---
 base.nix                          |  1 +
 justfile                          |  3 +++
 profiles/http/default.nix         | 28 ++++++++++++++++++++++++++--
 users/pbsds/home/profiles/ssh.nix |  1 +
 4 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/base.nix b/base.nix
index f82dfc1..3cf2d95 100644
--- a/base.nix
+++ b/base.nix
@@ -112,6 +112,7 @@
   nix.settings.keep-derivations = true; # keep .drv in store, great with nix-diff
   nix.settings.auto-optimise-store = true; # deduplicate with hardlinks, expensive. Alternative: nix-store --optimise
   nix.settings.max-silent-time = 3600;
+  nix.settings.connect-timeout = 5; # seconds timeout for binary caches
   #nix.settings.keep-failed = true; # fills up $TMPDIR
   nix.settings.log-lines = 35;
   #nix.optimize.automatic = true; # periodic optimization
diff --git a/justfile b/justfile
index a34777f..c6330f1 100644
--- a/justfile
+++ b/justfile
@@ -67,6 +67,9 @@ build-vm-and-run $hostname=`just _a_host` *_:
   @just build-vm "$hostname" "${@:2}"
   ./result/bin/run-"$hostname"-vm
 
+# build-home $user=`whoami`:
+#   #!/usr/bin/env -S bash -euo pipefail
+
 test *_:
   sudo nixos-rebuild test --accept-flake-config --show-trace --flake . "$@"
 
diff --git a/profiles/http/default.nix b/profiles/http/default.nix
index 0eb4d6b..b5e1cb3 100644
--- a/profiles/http/default.nix
+++ b/profiles/http/default.nix
@@ -86,7 +86,31 @@ in
       extraConfig = "return 444;";
     };
 
-    /** /
+    # https://wiki.nixos.org/wiki/Fail2ban
+    # Defines a filter that detects URL probing by reading the Nginx access log
+    /*--* /
+    environment.etc."fail2ban/filter.d/nginx-url-probe.local".text = lib.mkDefault (lib.mkAfter ''
+    [Definition]
+    failregex = ^<HOST>.*(GET /(wp-|admin|boaform|phpmyadmin|\.env|\.git)|\.(dll|so|cfm|asp)|(\?|&)(=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000|=PHPE9568F36-D428-11d2-A769-00AA001ACF42|=PHPE9568F35-D428-11d2-A769-00AA001ACF42|=PHPE9568F34-D428-11d2-A769-00AA001ACF42)|\\x[0-9a-zA-Z]{2})
+    '');
+    services.fail2ban.enable = true;
+    services.fail2ban.jails = {
+      nginx-url-probe.settings = {
+        enabled = true;
+        filter = "nginx-url-probe";
+        logpath = "/var/log/nginx/access.log";
+        backend = "auto"; # Do not forget to specify this if your jail uses a log file
+        action = ''
+          %(action_)s[blocktype=DROP]
+          ntfy
+        '';
+        maxretry = 5;
+        findtime = 600;
+      };
+    };
+    /**/
+
+    /*--* /
     services.nginx.virtualHosts."" = {
       default = true;
       forceSSL = false;
@@ -100,7 +124,7 @@ in
 
     # Website tunnel
     # TODO: remove
-    /** /
+    /*--* /
     services.nginx.virtualHosts.${config.networking.fqdn} = {
       forceSSL = true; # addSSL = true;
       enableACME = true;
diff --git a/users/pbsds/home/profiles/ssh.nix b/users/pbsds/home/profiles/ssh.nix
index 45df131..cf7d08e 100644
--- a/users/pbsds/home/profiles/ssh.nix
+++ b/users/pbsds/home/profiles/ssh.nix
@@ -21,6 +21,7 @@
   programs.ssh.enable = true;
   programs.ssh.controlMaster = "yes";
   programs.ssh.compression = true;
+  programs.ssh.includes = [ "~/.ssh/config.d/*" ];
   programs.ssh.matchBlocks = {
     "*".serverAliveInterval = 10;
     "*".serverAliveCountMax = 3;