From e56a4ddb4b917f7db59c09b57ca1bcc4fd8e8e3f Mon Sep 17 00:00:00 2001
From: Atridad Lahiji <me@atri.dad>
Date: Sun, 8 Mar 2026 12:20:10 -0600
Subject: [PATCH] Added anubis (testing)

---
 configuration.nix  |  2 ++
 flake.lock         |  6 +++---
 modules/anubis.nix | 12 ++++++++++++
 modules/proxy.nix  |  2 ++
 4 files changed, 19 insertions(+), 3 deletions(-)
 create mode 100644 modules/anubis.nix

diff --git a/configuration.nix b/configuration.nix
index 0292a3b..18175a2 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -12,6 +12,7 @@
     ./modules/proxy.nix
     ./modules/matrix.nix
     ./modules/fail2ban.nix
+    ./modules/anubis.nix
   ];
 
   nix.settings.experimental-features = [
@@ -23,6 +24,7 @@
     git
     gnumake
     openssl
+    anubis
   ];
 
   system.stateVersion = "25.11";
diff --git a/flake.lock b/flake.lock
index 8e854a8..5380f9a 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
   "nodes": {
     "nixpkgs": {
       "locked": {
-        "lastModified": 1772624091,
-        "narHash": "sha256-QKyJ0QGWBn6r0invrMAK8dmJoBYWoOWy7lN+UHzW1jc=",
+        "lastModified": 1772773019,
+        "narHash": "sha256-E1bxHxNKfDoQUuvriG71+f+s/NT0qWkImXsYZNFFfCs=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "80bdc1e5ce51f56b19791b52b2901187931f5353",
+        "rev": "aca4d95fce4914b3892661bcb80b8087293536c6",
         "type": "github"
       },
       "original": {
diff --git a/modules/anubis.nix b/modules/anubis.nix
new file mode 100644
index 0000000..c1acc38
--- /dev/null
+++ b/modules/anubis.nix
@@ -0,0 +1,12 @@
+{ ... }:
+
+{
+  services.anubis = {
+    enable = true;
+    settings = {
+      firewall.enabled = true;
+      firewall.block_openai = true;
+      firewall.block_google = true;
+    };
+  };
+}
diff --git a/modules/proxy.nix b/modules/proxy.nix
index d48a408..71602c4 100644
--- a/modules/proxy.nix
+++ b/modules/proxy.nix
@@ -84,6 +84,7 @@ in
           Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
           X-Content-Type-Options "nosniff"
           X-Frame-Options "DENY"
+          X-Robots-Tag "noimageindex, noodp, noydir, noindex, nofollow"
           Referrer-Policy "strict-origin-when-cross-origin"
           Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https://*.atri.dad https://*.atash.dev; font-src 'self' data:; connect-src 'self' wss: https://*.atri.dad https://*.atash.dev; object-src 'none'; base-uri 'self'; frame-ancestors 'none'"
           -Server
@@ -98,6 +99,7 @@ in
           Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
           X-Content-Type-Options "nosniff"
           X-Frame-Options "DENY"
+          X-Robots-Tag "noimageindex, noodp, noydir, noindex, nofollow"
           Referrer-Policy "strict-origin-when-cross-origin"
           Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https:; font-src 'self' data:; connect-src 'self' wss: https://*.atri.dad https://*.atash.dev; media-src 'self' https://rogers-hls.leanstream.co; object-src 'none'; base-uri 'self'; frame-ancestors 'none'"
           -Server