| 8 Oct 2025 |
 K900 | It will be used first, but that's generally not an issue, and you can always SSH into your VM even if DNS is broken | 08:12:55 |
 magic_rb | resloved will try the hardconfigured DNS first, but you can get it to ignore DHCP DNS entries completely. Or specify that you want to only use those for certain domains. I do that on my laptop, .lan is configured to go to my home router, everything else goes to my DoT proxy on my home server | 08:16:28 |
|  @haauler:matrix.org left the room. | 10:43:45 |
|  @felix.schroeter:scs.ems.host changed their display name from Felix Schröter (🌄 29.09. – 05.10.) to Felix Schröter. | 13:09:16 |
| 9 Oct 2025 |
|  srhb set a profile picture. | 07:08:19 |
|  Anton (he/him) joined the room. | 16:08:01 |
| 10 Oct 2025 |
 m0lok | I'm trying to run tailscale inside a nixos container | 16:51:25 |
| m0lok | gm gm | 16:51:32 |
| m0lok | but for some reason even if I have internet, I get this route ip+net: no such network interface | 16:51:57 |
| m0lok | I'm using a bridge for networking | 16:52:15 |
| m0lok | I had to enable tun :D | 16:55:35 |
| m0lok | mmm for some reason the tailscale on the podman container failed | 23:04:42 |
| 11 Oct 2025 |
|  midischwarz12 joined the room. | 20:34:07 |
| K900 | Woo new regdb update | 21:13:41 |
| K900 | And still no https://lore.kernel.org/wireless-regdb/20250708-russia-320-v1-1-53641e8dd417@0upti.me/T/#u | 21:13:43 |
| K900 | Should just email wens directly probably | 21:14:14 |
| 12 Oct 2025 |
| midischwarz12 removed their profile picture. | 02:45:02 |
| midischwarz12 set a profile picture. | 02:45:11 |
| Anton (he/him) changed their display name from Anton to Anton (he/him). | 13:17:55 |
|  @midirhee12:tchncs.de removed their profile picture. | 21:27:42 |
| @midirhee12:tchncs.de removed their display name midirhee12. | 21:28:17 |
| @midirhee12:tchncs.de left the room. | 21:28:28 |
| 13 Oct 2025 |
|  KDK12 joined the room. | 11:41:46 |
| KDK12 | Hi everyone!
I'm using fail2ban to secure my server — it works fine, but I'd like to block known bad IP addresses before they can access anything.
Currently, I have a small systemd service and timer that download a FireHOL blacklist daily and insert all the IPs into an nftables set.
Is there a more idiomatic or less DIY way to achieve this on NixOS? | 13:21:57 |
| K900 | Honestly the correct answer is "just don't" | 13:26:32 |
| K900 | Address based blocklists are terrible and an adversary that can break ed25519 can do much more damage than pwning your seedbox | 13:27:05 |
| K900 | fail2ban may have made sense when people were actually using password auth | 13:27:48 |
| K900 | But as long as you're using public key auth, it's basically a non-issue, except for maybe DoS potential, but an attacker trying to DoS you can DoS anything else you're running just as well | 13:28:22 |
| KDK12 | Fair point, thanks for the insight! | 13:53:05 |
|  Ewan joined the room. | 15:28:40 |
