| 12 Oct 2025 |
|  @midirhee12:tchncs.de removed their profile picture. | 21:27:42 |
| @midirhee12:tchncs.de removed their display name midirhee12. | 21:28:17 |
| @midirhee12:tchncs.de left the room. | 21:28:28 |
| 13 Oct 2025 |
|  KDK12 joined the room. | 11:41:46 |
| KDK12 | Hi everyone!
I'm using fail2ban to secure my server — it works fine, but I'd like to block known bad IP addresses before they can access anything.
Currently, I have a small systemd service and timer that download a FireHOL blacklist daily and insert all the IPs into an nftables set.
Is there a more idiomatic or less DIY way to achieve this on NixOS? | 13:21:57 |
 K900 | Honestly the correct answer is "just don't" | 13:26:32 |
| K900 | Address based blocklists are terrible and an adversary that can break ed25519 can do much more damage than pwning your seedbox | 13:27:05 |
| K900 | fail2ban may have made sense when people were actually using password auth | 13:27:48 |
| K900 | But as long as you're using public key auth, it's basically a non-issue, except for maybe DoS potential, but an attacker trying to DoS you can DoS anything else you're running just as well | 13:28:22 |
| KDK12 | Fair point, thanks for the insight! | 13:53:05 |
|  Ewan joined the room. | 15:28:40 |
| 14 Oct 2025 |
|  chris joined the room. | 08:56:02 |
| 15 Oct 2025 |
|  DenKn changed their display name from 𝔇𝔢𝔫𝔎𝔫 to DenKn. | 08:15:36 |
 kraem | hey! on the lookout for a poe switch, fanless or very quiet, ideally openwrt compatible but not a must. i'm eyeing zyxel gs1900-8hp, any other i should checkout? | 20:32:55 |
 adamcstephens | HP 1920-8G JG920A would be a similar option that has no fan and can run openwrt | 20:51:03 |
| adamcstephens | oh sorry, you said POE. most (or all?) of the HP 1920 line is supported on openwrt. https://svanheule.net/switches/hpe_1920_series | 20:51:57 |
| 16 Oct 2025 |
|  Nick changed their display name from norta to Nick. | 02:22:59 |
| kraem | thanks, i'll check them out! | 05:25:16 |
|  Sean Ross joined the room. | 23:03:26 |
| Sean Ross | Does anyone know why when using systemd without setting any networks "I want to control these with my own .link and .network files" I end up with a 40-lan1.network and a 40-wan1.network. I can not find any definitions for these in my config files and they are sym links to /etc/static/systemd/network/.
Here is my networking config
systemd = {
network = {
enable = true;
wait-online.timeout = 2;
networks."99-ethernet-default-dhcp".enable = lib.mkForce false;
networks."99-wireless-client-dhcp".enable = lib.mkForce false;
};
services."systemd-networkd-wait-online".enable = lib.mkDefault false;
};
I can't even figure out how it chose the names lan1 and wan1
| 23:12:31 |
| 17 Oct 2025 |
 ElvishJerricco | Sean Ross: those get made when you have networking.useNetworkd = true; and networking.interfaces.lan1 = .... and whatnot. The point of networking.useNetworkd isn't to just enable networkd or anything; it's to reimplement most of the networking.* options using networkd | 01:21:26 |
| Sean Ross | ElvishJerricco: Thank you I think in a config somewhere I do have networking.useNetworkd = true; but I don't believe there is anything set like networking.interfaces.<name> = {};. I'll take another look when I get a chance. | 01:24:16 |
| ElvishJerricco | use nixos-rebuild repl to poke around and check out what the final values of things like builtins.attrNames config.networking.interfaces is | 01:24:53 |
| Sean Ross | Ah that is really helpful I was wondering how to poke around in there. Does this also work with flakes? | 01:26:01 |
| ElvishJerricco | should | 01:26:29 |
| Sean Ross | looks like I needed to do something like sudo nixos-rebuild --flake "git+file:///etc/nixos/#<system_name>" repl
and it appears it is in there somewhere.
nix-repl> builtins.attrNames config.networking.interfaces
[
"lan1"
"wan1"
]
| 01:30:40 |
| ElvishJerricco | Sean Ross: You can look for the definitions with options.networking.interfaces.definitionsWithLocations I think | 01:42:10 |
| Sean Ross | Thank you | 01:44:28 |
| KDK12 | Hey! With NixOS’s OpenSSH service, is there a way to specify user-specific SSH configuration like this — especially the ForceCommand option?
Match User <user>
ForceCommand <command>
AllowTcpForwarding no
PasswordAuthentication no
Or do I have to use services.openssh.extraConfig for that? | 08:54:11 |
 magic_rb | Extra config afaik | 09:23:18 |
