Add garden and updates.

hosts/hub/default.nix

@@ -10,6 +10,7 @@
     ../../roles/zfs.nix
     ../../base.nix
     ../../users/root.nix
+    ../../roles/fail2ban.nix
     ../../roles/tailscale.nix
     ../../roles/lldap.nix
     ../../roles/authelia.nix
@@ -18,6 +19,7 @@
     ../../roles/caddy.nix
     ../../roles/vscode-remote.nix
     ../../roles/postgres.nix
+    ../../roles/syncthing.nix
     ./apps/dev.nix
     ./apps/nextcloud.nix
   ];
@@ -64,11 +66,6 @@
     acceptTerms = true;
     defaults.email = "nolan@thewordnerd.info";
     certs."thewordnerd.info" = {
-      domain = "*.thewordnerd.info";
-      dnsProvider = "cloudflare";
-      environmentFile = config.age.secrets.cloudflareApi.path;
-    };
-    certs."hub.thewordnerd.info" = {
       dnsProvider = "cloudflare";
       environmentFile = config.age.secrets.cloudflareApi.path;
     };
@@ -103,6 +100,15 @@
     };
   };
 
+  services.fail2ban.jails = {
+    dovecot.settings = {
+      filter = "dovecot[mode=aggressive]";
+    };
+    postfix.settings = {
+      filter = "postfix[mode=aggressive]";
+    };
+  };
+
   services.caddy.virtualHosts."users.thewordnerd.info".extraConfig =
     ''reverse_proxy localhost:17170'';
 
@@ -110,6 +116,22 @@
     reverse_proxy localhost:9091
   '';
 
+  services.authelia.instances.main.settings.access_control.rules = [
+    {
+      domain = "syncthing.thewordnerd.info";
+      policy = "one_factor";
+    }
+  ];
+
+  services.caddy.virtualHosts."syncthing.thewordnerd.info".extraConfig = ''
+    forward_auth localhost:9091 {
+      uri /api/authz/forward-auth
+    }
+    reverse_proxy localhost:8384 {
+      header_up Host {upstream_hostport}
+    }
+  '';
+
   services.caddy.virtualHosts."www.thewordnerd.info".extraConfig = ''
     file_server
     root * /var/www/thewordnerd.info