From c998c99bfcbfe071a765cad6f53f18d8f15c6673 Mon Sep 17 00:00:00 2001 From: jasmine Date: Sat, 31 Jan 2026 14:13:08 +0800 Subject: [PATCH 1/4] refactor(traefik): remove geoblock middleware in favor of crowdsec Geoblocking is easily bypassed via VPNs and provides false security. CrowdSec handles this better with behavioral detection. --- README.md | 2 +- nixos/viridian/services/traefik/default.nix | 9 +-- .../viridian/services/traefik/middlewares.nix | 56 ------------------- 3 files changed, 2 insertions(+), 65 deletions(-) diff --git a/README.md b/README.md index b72b6c6..fe0cc4b 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ Based upon [Misterio77's starter configs](https://github.com/Misterio77/nix-star * __Opt-in persistence with ephemeral btrfs root and 14-day snapshot retention.__ * __Snapper automated snapshots with tiered retention (24h/7d/4w/12m).__ * __Automated borgbackup of mutable service and container data.__ -* __Traefik reverse proxy with geoblock and crowdsec security middleware.__ +* __Traefik reverse proxy with crowdsec security middleware.__ * __Secrets managed with agenix and rekeyed with yubikey.__ * __Standalone nixvim configuration for neovim.__ * __Custom haskell packages for xmonad & xmobar.__ diff --git a/nixos/viridian/services/traefik/default.nix b/nixos/viridian/services/traefik/default.nix index 0e59b4b..8d736cc 100644 --- a/nixos/viridian/services/traefik/default.nix +++ b/nixos/viridian/services/traefik/default.nix @@ -70,13 +70,7 @@ # Install plugins experimental.plugins = { - # Block or allow requests based on their country of origin. - geoblock = { - moduleName = "github.com/PascalMinder/geoblock"; - version = "v0.2.7"; - }; - - # Authorize or block requests from IPs based on there reputation and behaviour. + # Authorize or block requests from IPs based on their reputation and behaviour. bouncer = { moduleName = "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"; version = "v1.3.5"; @@ -101,7 +95,6 @@ # Enable some middlewares on all routers that use this entrypoint http.middlewares = [ - "geoblock@file" "crowdsec@file" ]; diff --git a/nixos/viridian/services/traefik/middlewares.nix b/nixos/viridian/services/traefik/middlewares.nix index 0f2f474..13aa305 100644 --- a/nixos/viridian/services/traefik/middlewares.nix +++ b/nixos/viridian/services/traefik/middlewares.nix @@ -1,62 +1,6 @@ {...}: { # Attached to the routers, pieces of middleware are a means of tweaking the requests before they are sent to your service services.traefik.dynamicConfigOptions.http.middlewares = { - # Restrict access based on geo-location - geoblock.plugin.geoblock = { - silentStartUp = "false"; - allowLocalRequests = "true"; - # If set to true will show a log message - logLocalRequests = "false"; - logAllowedRequests = "false"; - logApiRequests = "false"; - # Application programming interface - api = "https://get.geojs.io/v1/ip/country/{ip}"; - apiTimeoutMs = "750"; - # Max size of least recently used cache - cacheSize = "25"; - # OFAC (US) sanctions list - countries = [ - "AF" # Afghanistan - "AL" # Albania - "BA" # Bosnia and Herzegovina - "BY" # Belarus - "CF" # Central African Republic (the) - "CN" # China - "CD" # Congo (the Democratic Republic of the) - "CU" # Cuba - "ET" # Ethiopia - "HK" # Hong Kong - "IR" # Iran (Islamic Republic of) - "IQ" # Iraq - "KP" # Korea (the Democratic People's Republic of) - "LB" # Lebanon - "LY" # Libya - "ML" # Mali - "ME" # Montenegro - "MM" # Myanmar - "MK" # Republic of North Macedonia - "NI" # Nicaragua - "RU" # Russian Federation (the) - "RS" # Serbia - "SO" # Somalia - "SS" # South Sudan - "SD" # Sudan (the) - "SY" # Syrian Arab Republic - "UA" # Ukraine - "VE" # Venezuela (Bolivarian Republic of) - "YE" # Yemen - ]; - # Inverts filter logic - blackListMode = "true"; - # Unknown Countries (IPs with no country association) - allowUnknownCountries = "false"; - unknownCountryApiResponse = "nil"; - # Adds the X-IPCountry header to the HTTP request header. - addCountryHeader = "false"; - # Even if an IP stays in the cache for a period of a month, it must be fetch again after a month. - forceMonthlyUpdate = "true"; - }; - # Intrusion Prevention System crowdsec.plugin.bouncer = { enabled = "true"; From dac743a7c0ff579078e3bee4686665f2a0328a74 Mon Sep 17 00:00:00 2001 From: jasmine Date: Sat, 31 Jan 2026 14:14:44 +0800 Subject: [PATCH 2/4] fix(editors): update nix-jetbrains-plugins API usage --- home-manager/sajenim/features/editors/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/home-manager/sajenim/features/editors/default.nix b/home-manager/sajenim/features/editors/default.nix index a8c2e7f..2860b37 100644 --- a/home-manager/sajenim/features/editors/default.nix +++ b/home-manager/sajenim/features/editors/default.nix @@ -30,8 +30,8 @@ inputs.nixvim.packages.${pkgs.stdenv.hostPlatform.system}.default ] # Install jetbrains IDEs with plugins - ++ (with inputs.nix-jetbrains-plugins.lib."${pkgs.stdenv.hostPlatform.system}"; [ - (buildIdeWithPlugins pkgs.jetbrains "idea" [ + ++ (with inputs.nix-jetbrains-plugins.lib; [ + (buildIdeWithPlugins pkgs "idea" [ "IdeaVIM" "gruvbox-material-dark" ]) From 804c272ae7c4229900a54ead9c186d5052f02743 Mon Sep 17 00:00:00 2001 From: jasmine Date: Sat, 31 Jan 2026 14:15:16 +0800 Subject: [PATCH 3/4] chore: update xmonad-config input --- flake.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index ef583e1..5b33cb7 100644 --- a/flake.lock +++ b/flake.lock @@ -1192,10 +1192,10 @@ "nixpkgs": "nixpkgs_12" }, "locked": { - "lastModified": 1769621096, - "narHash": "sha256-qKR+FBbXsyAHXeLKLJ5HsBUwamCCLWBHI28uKj/SURY=", + "lastModified": 1769795109, + "narHash": "sha256-/BejBIiwZiAH5OQghBkMCouEEoVS/6UkNLY5A/nb9/U=", "ref": "refs/heads/master", - "rev": "3b31789a36db77a08af94365d355b70bfb25a7d2", + "rev": "719ef7a115786d749464f6faeba5aeae5af9e764", "revCount": 53, "type": "git", "url": "https://git.sajenim.dev/jasmine/xmonad-config.git" From f9189467239d5b6ee36cd009ae6276db5f71893a Mon Sep 17 00:00:00 2001 From: jasmine Date: Sat, 31 Jan 2026 14:29:27 +0800 Subject: [PATCH 4/4] Revert "refactor(traefik): remove geoblock middleware in favor of crowdsec" This reverts commit c998c99bfcbfe071a765cad6f53f18d8f15c6673. --- README.md | 2 +- nixos/viridian/services/traefik/default.nix | 9 ++- .../viridian/services/traefik/middlewares.nix | 56 +++++++++++++++++++ 3 files changed, 65 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index fe0cc4b..b72b6c6 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ Based upon [Misterio77's starter configs](https://github.com/Misterio77/nix-star * __Opt-in persistence with ephemeral btrfs root and 14-day snapshot retention.__ * __Snapper automated snapshots with tiered retention (24h/7d/4w/12m).__ * __Automated borgbackup of mutable service and container data.__ -* __Traefik reverse proxy with crowdsec security middleware.__ +* __Traefik reverse proxy with geoblock and crowdsec security middleware.__ * __Secrets managed with agenix and rekeyed with yubikey.__ * __Standalone nixvim configuration for neovim.__ * __Custom haskell packages for xmonad & xmobar.__ diff --git a/nixos/viridian/services/traefik/default.nix b/nixos/viridian/services/traefik/default.nix index 8d736cc..0e59b4b 100644 --- a/nixos/viridian/services/traefik/default.nix +++ b/nixos/viridian/services/traefik/default.nix @@ -70,7 +70,13 @@ # Install plugins experimental.plugins = { - # Authorize or block requests from IPs based on their reputation and behaviour. + # Block or allow requests based on their country of origin. + geoblock = { + moduleName = "github.com/PascalMinder/geoblock"; + version = "v0.2.7"; + }; + + # Authorize or block requests from IPs based on there reputation and behaviour. bouncer = { moduleName = "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"; version = "v1.3.5"; @@ -95,6 +101,7 @@ # Enable some middlewares on all routers that use this entrypoint http.middlewares = [ + "geoblock@file" "crowdsec@file" ]; diff --git a/nixos/viridian/services/traefik/middlewares.nix b/nixos/viridian/services/traefik/middlewares.nix index 13aa305..0f2f474 100644 --- a/nixos/viridian/services/traefik/middlewares.nix +++ b/nixos/viridian/services/traefik/middlewares.nix @@ -1,6 +1,62 @@ {...}: { # Attached to the routers, pieces of middleware are a means of tweaking the requests before they are sent to your service services.traefik.dynamicConfigOptions.http.middlewares = { + # Restrict access based on geo-location + geoblock.plugin.geoblock = { + silentStartUp = "false"; + allowLocalRequests = "true"; + # If set to true will show a log message + logLocalRequests = "false"; + logAllowedRequests = "false"; + logApiRequests = "false"; + # Application programming interface + api = "https://get.geojs.io/v1/ip/country/{ip}"; + apiTimeoutMs = "750"; + # Max size of least recently used cache + cacheSize = "25"; + # OFAC (US) sanctions list + countries = [ + "AF" # Afghanistan + "AL" # Albania + "BA" # Bosnia and Herzegovina + "BY" # Belarus + "CF" # Central African Republic (the) + "CN" # China + "CD" # Congo (the Democratic Republic of the) + "CU" # Cuba + "ET" # Ethiopia + "HK" # Hong Kong + "IR" # Iran (Islamic Republic of) + "IQ" # Iraq + "KP" # Korea (the Democratic People's Republic of) + "LB" # Lebanon + "LY" # Libya + "ML" # Mali + "ME" # Montenegro + "MM" # Myanmar + "MK" # Republic of North Macedonia + "NI" # Nicaragua + "RU" # Russian Federation (the) + "RS" # Serbia + "SO" # Somalia + "SS" # South Sudan + "SD" # Sudan (the) + "SY" # Syrian Arab Republic + "UA" # Ukraine + "VE" # Venezuela (Bolivarian Republic of) + "YE" # Yemen + ]; + # Inverts filter logic + blackListMode = "true"; + # Unknown Countries (IPs with no country association) + allowUnknownCountries = "false"; + unknownCountryApiResponse = "nil"; + # Adds the X-IPCountry header to the HTTP request header. + addCountryHeader = "false"; + # Even if an IP stays in the cache for a period of a month, it must be fetch again after a month. + forceMonthlyUpdate = "true"; + }; + # Intrusion Prevention System crowdsec.plugin.bouncer = { enabled = "true";