initial import from /x/ monorepo

Signed-off-by: Xe Iaso <me@xeiaso.net>
2025-03-17 19:33:07 -04:00 · 2025-03-17 19:33:07 -04:00 · 9923878c5c
commit 9923878c5c
61 changed files with 5615 additions and 0 deletions
--- a/cmd/anubis/.gitignore
+++ b/cmd/anubis/.gitignore
@ -0,0 +1,2 @@
+*.rpm
+anubis
--- a/cmd/anubis/CHANGELOG.md
+++ b/cmd/anubis/CHANGELOG.md
@ -0,0 +1,5 @@
+# CHANGELOG
+
+## 2025-01-24
+
+- Added support for custom bot policy documentation, allowing administrators to change how Anubis works to meet their needs.
--- a/cmd/anubis/botPolicies.json
+++ b/cmd/anubis/botPolicies.json
@ -0,0 +1,70 @@
+{
+  "bots": [
+    {
+      "name": "amazonbot",
+      "user_agent_regex": "Amazonbot",
+      "action": "DENY"
+    },
+    {
+      "name": "googlebot",
+      "user_agent_regex": "\\+http\\:\\/\\/www\\.google\\.com/bot\\.html",
+      "action": "ALLOW"
+    },
+    {
+      "name": "bingbot",
+      "user_agent_regex": "\\+http\\:\\/\\/www\\.bing\\.com/bingbot\\.htm",
+      "action": "ALLOW"
+    },
+    {
+      "name": "qwantbot",
+      "user_agent_regex": "\\+https\\:\\/\\/help\\.qwant\\.com/bot/",
+      "action": "ALLOW"
+    },
+    {
+      "name": "us-artificial-intelligence-scraper",
+      "user_agent_regex": "\\+https\\:\\/\\/github\\.com\\/US-Artificial-Intelligence\\/scraper",
+      "action": "DENY"
+    },
+    {
+      "name": "well-known",
+      "path_regex": "^/.well-known/.*$",
+      "action": "ALLOW"
+    },
+    {
+      "name": "favicon",
+      "path_regex": "^/favicon.ico$",
+      "action": "ALLOW"
+    },
+    {
+      "name": "robots-txt",
+      "path_regex": "^/robots.txt$",
+      "action": "ALLOW"
+    },
+    {
+      "name": "rss-readers",
+      "path_regex": ".*\\.(rss|xml|atom|json)$",
+      "action": "ALLOW"
+    },
+    {
+      "name": "lightpanda",
+      "user_agent_regex": "^Lightpanda/.*$",
+      "action": "DENY"
+    },
+    {
+      "name": "headless-chrome",
+      "user_agent_regex": "HeadlessChrome",
+      "action": "DENY"
+    },
+    {
+      "name": "headless-chromium",
+      "user_agent_regex": "HeadlessChromium",
+      "action": "DENY"
+    },
+    {
+      "name": "generic-browser",
+      "user_agent_regex": "Mozilla",
+      "action": "CHALLENGE"
+    }
+  ],
+  "dnsbl": true
+}
--- a/cmd/anubis/decaymap.go
+++ b/cmd/anubis/decaymap.go
@ -0,0 +1,87 @@
+package main
+
+import (
+	"sync"
+	"time"
+)
+
+func zilch[T any]() T {
+	var zero T
+	return zero
+}
+
+// DecayMap is a lazy key->value map. It's a wrapper around a map and a mutex. If values exceed their time-to-live, they are pruned at Get time.
+type DecayMap[K comparable, V any] struct {
+	data map[K]decayMapEntry[V]
+	lock sync.RWMutex
+}
+
+type decayMapEntry[V any] struct {
+	Value  V
+	expiry time.Time
+}
+
+// NewDecayMap creates a new DecayMap of key type K and value type V.
+//
+// Key types must be comparable to work with maps.
+func NewDecayMap[K comparable, V any]() *DecayMap[K, V] {
+	return &DecayMap[K, V]{
+		data: make(map[K]decayMapEntry[V]),
+	}
+}
+
+// expire forcibly expires a key by setting its time-to-live one second in the past.
+func (m *DecayMap[K, V]) expire(key K) bool {
+	m.lock.RLock()
+	val, ok := m.data[key]
+	m.lock.RUnlock()
+
+	if !ok {
+		return false
+	}
+
+	m.lock.Lock()
+	val.expiry = time.Now().Add(-1 * time.Second)
+	m.data[key] = val
+	m.lock.Unlock()
+
+	return true
+}
+
+// Get gets a value from the DecayMap by key.
+//
+// If a value has expired, forcibly delete it if it was not updated.
+func (m *DecayMap[K, V]) Get(key K) (V, bool) {
+	m.lock.RLock()
+	value, ok := m.data[key]
+	m.lock.RUnlock()
+
+	if !ok {
+		return zilch[V](), false
+	}
+
+	if time.Now().After(value.expiry) {
+		m.lock.Lock()
+		// Since previously reading m.data[key], the value may have been updated.
+		// Delete the entry only if the expiry time is still the same.
+		if m.data[key].expiry == value.expiry {
+			delete(m.data, key)
+		}
+		m.lock.Unlock()
+
+		return zilch[V](), false
+	}
+
+	return value.Value, true
+}
+
+// Set sets a key value pair in the map.
+func (m *DecayMap[K, V]) Set(key K, value V, ttl time.Duration) {
+	m.lock.Lock()
+	defer m.lock.Unlock()
+
+	m.data[key] = decayMapEntry[V]{
+		Value:  value,
+		expiry: time.Now().Add(ttl),
+	}
+}
--- a/cmd/anubis/decaymap_test.go
+++ b/cmd/anubis/decaymap_test.go
@ -0,0 +1,31 @@
+package main
+
+import (
+	"testing"
+	"time"
+)
+
+func TestDecayMap(t *testing.T) {
+	dm := NewDecayMap[string, string]()
+
+	dm.Set("test", "hi", 5*time.Minute)
+
+	val, ok := dm.Get("test")
+	if !ok {
+		t.Error("somehow the test key was not set")
+	}
+
+	if val != "hi" {
+		t.Errorf("wanted value %q, got: %q", "hi", val)
+	}
+
+	ok = dm.expire("test")
+	if !ok {
+		t.Error("somehow could not force-expire the test key")
+	}
+
+	_, ok = dm.Get("test")
+	if ok {
+		t.Error("got value even though it was supposed to be expired")
+	}
+}
--- a/cmd/anubis/index.templ
+++ b/cmd/anubis/index.templ
@ -0,0 +1,159 @@
+package main
+
+import (
+	"github.com/TecharoHQ/anubis"
+	"github.com/TecharoHQ/anubis/xess"
+)
+
+templ base(title string, body templ.Component) {
+	<!DOCTYPE html>
+	<html>
+		<head>
+			<title>{ title }</title>
+			<link rel="stylesheet" href={ xess.URL }/>
+			<meta name="viewport" content="width=device-width, initial-scale=1.0"/>
+			<style>
+      body,
+      html {
+        height: 100%;
+        display: flex;
+        justify-content: center;
+        align-items: center;
+        width: 65ch;
+        margin-left: auto;
+        margin-right: auto;
+      }
+
+      .centered-div {
+        text-align: center;
+      }
+
+      .lds-roller,
+      .lds-roller div,
+      .lds-roller div:after {
+        box-sizing: border-box;
+      }
+      .lds-roller {
+        display: inline-block;
+        position: relative;
+        width: 80px;
+        height: 80px;
+      }
+      .lds-roller div {
+        animation: lds-roller 1.2s cubic-bezier(0.5, 0, 0.5, 1) infinite;
+        transform-origin: 40px 40px;
+      }
+      .lds-roller div:after {
+        content: " ";
+        display: block;
+        position: absolute;
+        width: 7.2px;
+        height: 7.2px;
+        border-radius: 50%;
+        background: currentColor;
+        margin: -3.6px 0 0 -3.6px;
+      }
+      .lds-roller div:nth-child(1) {
+        animation-delay: -0.036s;
+      }
+      .lds-roller div:nth-child(1):after {
+        top: 62.62742px;
+        left: 62.62742px;
+      }
+      .lds-roller div:nth-child(2) {
+        animation-delay: -0.072s;
+      }
+      .lds-roller div:nth-child(2):after {
+        top: 67.71281px;
+        left: 56px;
+      }
+      .lds-roller div:nth-child(3) {
+        animation-delay: -0.108s;
+      }
+      .lds-roller div:nth-child(3):after {
+        top: 70.90963px;
+        left: 48.28221px;
+      }
+      .lds-roller div:nth-child(4) {
+        animation-delay: -0.144s;
+      }
+      .lds-roller div:nth-child(4):after {
+        top: 72px;
+        left: 40px;
+      }
+      .lds-roller div:nth-child(5) {
+        animation-delay: -0.18s;
+      }
+      .lds-roller div:nth-child(5):after {
+        top: 70.90963px;
+        left: 31.71779px;
+      }
+      .lds-roller div:nth-child(6) {
+        animation-delay: -0.216s;
+      }
+      .lds-roller div:nth-child(6):after {
+        top: 67.71281px;
+        left: 24px;
+      }
+      .lds-roller div:nth-child(7) {
+        animation-delay: -0.252s;
+      }
+      .lds-roller div:nth-child(7):after {
+        top: 62.62742px;
+        left: 17.37258px;
+      }
+      .lds-roller div:nth-child(8) {
+        animation-delay: -0.288s;
+      }
+      .lds-roller div:nth-child(8):after {
+        top: 56px;
+        left: 12.28719px;
+      }
+      @keyframes lds-roller {
+        0% {
+          transform: rotate(0deg);
+        }
+        100% {
+          transform: rotate(360deg);
+        }
+      }
+    </style>
+		</head>
+		<body id="top">
+			<main>
+				<center>
+					<h1 id="title" class=".centered-div">{ title }</h1>
+				</center>
+				@body
+				<footer>
+					<center>
+						<p>Protected by <a href="https://xeiaso.net/blog/2025/anubis">Anubis</a> from <a href="https://within.website">Within</a>.</p>
+					</center>
+				</footer>
+			</main>
+		</body>
+	</html>
+}
+
+templ index() {
+	<div class="centered-div">
+		<img id="image" width="256" src={ "/.within.website/x/cmd/anubis/static/img/pensive.webp?cacheBuster=" + anubis.Version }/>
+		<img style="display:none;" width="256" src={ "/.within.website/x/cmd/anubis/static/img/happy.webp?cacheBuster=" + anubis.Version }/>
+		<p id="status">Loading...</p>
+		<script async type="module" src={ "/.within.website/x/cmd/anubis/static/js/main.mjs?cacheBuster=" + anubis.Version }></script>
+		<div id="spinner" class="lds-roller"><div></div><div></div><div></div><div></div><div></div><div></div><div></div><div></div></div>
+		<noscript>
+			<p>Sadly, you must enable JavaScript to get past this challenge. I would love to not have to do this, but god is dead and AI scrapers have destroyed the common good.</p>
+		</noscript>
+		<div id="testarea"></div>
+	</div>
+}
+
+templ errorPage(message string) {
+	<div class="centered-div">
+		<img id="image" width="256" src={ "/.within.website/x/cmd/anubis/static/img/sad.webp?cacheBuster=" + anubis.Version }/>
+		<p>{ message }.</p>
+		<button onClick="window.location.reload();">Try again</button>
+		<p><a href="/">Go home</a></p>
+	</div>
+}
--- a/cmd/anubis/index_templ.go
+++ b/cmd/anubis/index_templ.go
@ -0,0 +1,215 @@
+// Code generated by templ - DO NOT EDIT.
+
+// templ: version: v0.3.833
+package main
+
+//lint:file-ignore SA4006 This context is only used if a nested component is present.
+
+import "github.com/a-h/templ"
+import templruntime "github.com/a-h/templ/runtime"
+
+import (
+	"github.com/TecharoHQ/anubis"
+	"github.com/TecharoHQ/anubis/xess"
+)
+
+func base(title string, body templ.Component) templ.Component {
+	return templruntime.GeneratedTemplate(func(templ_7745c5c3_Input templruntime.GeneratedComponentInput) (templ_7745c5c3_Err error) {
+		templ_7745c5c3_W, ctx := templ_7745c5c3_Input.Writer, templ_7745c5c3_Input.Context
+		if templ_7745c5c3_CtxErr := ctx.Err(); templ_7745c5c3_CtxErr != nil {
+			return templ_7745c5c3_CtxErr
+		}
+		templ_7745c5c3_Buffer, templ_7745c5c3_IsBuffer := templruntime.GetBuffer(templ_7745c5c3_W)
+		if !templ_7745c5c3_IsBuffer {
+			defer func() {
+				templ_7745c5c3_BufErr := templruntime.ReleaseBuffer(templ_7745c5c3_Buffer)
+				if templ_7745c5c3_Err == nil {
+					templ_7745c5c3_Err = templ_7745c5c3_BufErr
+				}
+			}()
+		}
+		ctx = templ.InitializeContext(ctx)
+		templ_7745c5c3_Var1 := templ.GetChildren(ctx)
+		if templ_7745c5c3_Var1 == nil {
+			templ_7745c5c3_Var1 = templ.NopComponent
+		}
+		ctx = templ.ClearChildren(ctx)
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 1, "<!doctype html><html><head><title>")
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		var templ_7745c5c3_Var2 string
+		templ_7745c5c3_Var2, templ_7745c5c3_Err = templ.JoinStringErrs(title)
+		if templ_7745c5c3_Err != nil {
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 12, Col: 17}
+		}
+		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var2))
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 2, "</title><link rel=\"stylesheet\" href=\"")
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		var templ_7745c5c3_Var3 string
+		templ_7745c5c3_Var3, templ_7745c5c3_Err = templ.JoinStringErrs(xess.URL)
+		if templ_7745c5c3_Err != nil {
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 13, Col: 41}
+		}
+		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var3))
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 3, "\"><meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\"><style>\n      body,\n      html {\n        height: 100%;\n        display: flex;\n        justify-content: center;\n        align-items: center;\n        width: 65ch;\n        margin-left: auto;\n        margin-right: auto;\n      }\n\n      .centered-div {\n        text-align: center;\n      }\n\n      .lds-roller,\n      .lds-roller div,\n      .lds-roller div:after {\n        box-sizing: border-box;\n      }\n      .lds-roller {\n        display: inline-block;\n        position: relative;\n        width: 80px;\n        height: 80px;\n      }\n      .lds-roller div {\n        animation: lds-roller 1.2s cubic-bezier(0.5, 0, 0.5, 1) infinite;\n        transform-origin: 40px 40px;\n      }\n      .lds-roller div:after {\n        content: \" \";\n        display: block;\n        position: absolute;\n        width: 7.2px;\n        height: 7.2px;\n        border-radius: 50%;\n        background: currentColor;\n        margin: -3.6px 0 0 -3.6px;\n      }\n      .lds-roller div:nth-child(1) {\n        animation-delay: -0.036s;\n      }\n      .lds-roller div:nth-child(1):after {\n        top: 62.62742px;\n        left: 62.62742px;\n      }\n      .lds-roller div:nth-child(2) {\n        animation-delay: -0.072s;\n      }\n      .lds-roller div:nth-child(2):after {\n        top: 67.71281px;\n        left: 56px;\n      }\n      .lds-roller div:nth-child(3) {\n        animation-delay: -0.108s;\n      }\n      .lds-roller div:nth-child(3):after {\n        top: 70.90963px;\n        left: 48.28221px;\n      }\n      .lds-roller div:nth-child(4) {\n        animation-delay: -0.144s;\n      }\n      .lds-roller div:nth-child(4):after {\n        top: 72px;\n        left: 40px;\n      }\n      .lds-roller div:nth-child(5) {\n        animation-delay: -0.18s;\n      }\n      .lds-roller div:nth-child(5):after {\n        top: 70.90963px;\n        left: 31.71779px;\n      }\n      .lds-roller div:nth-child(6) {\n        animation-delay: -0.216s;\n      }\n      .lds-roller div:nth-child(6):after {\n        top: 67.71281px;\n        left: 24px;\n      }\n      .lds-roller div:nth-child(7) {\n        animation-delay: -0.252s;\n      }\n      .lds-roller div:nth-child(7):after {\n        top: 62.62742px;\n        left: 17.37258px;\n      }\n      .lds-roller div:nth-child(8) {\n        animation-delay: -0.288s;\n      }\n      .lds-roller div:nth-child(8):after {\n        top: 56px;\n        left: 12.28719px;\n      }\n      @keyframes lds-roller {\n        0% {\n          transform: rotate(0deg);\n        }\n        100% {\n          transform: rotate(360deg);\n        }\n      }\n    </style></head><body id=\"top\"><main><center><h1 id=\"title\" class=\".centered-div\">")
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		var templ_7745c5c3_Var4 string
+		templ_7745c5c3_Var4, templ_7745c5c3_Err = templ.JoinStringErrs(title)
+		if templ_7745c5c3_Err != nil {
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 125, Col: 49}
+		}
+		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var4))
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 4, "</h1></center>")
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		templ_7745c5c3_Err = body.Render(ctx, templ_7745c5c3_Buffer)
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 5, "<footer><center><p>Protected by <a href=\"https://xeiaso.net/blog/2025/anubis\">Anubis</a> from <a href=\"https://within.website\">Within</a>.</p></center></footer></main></body></html>")
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		return nil
+	})
+}
+
+func index() templ.Component {
+	return templruntime.GeneratedTemplate(func(templ_7745c5c3_Input templruntime.GeneratedComponentInput) (templ_7745c5c3_Err error) {
+		templ_7745c5c3_W, ctx := templ_7745c5c3_Input.Writer, templ_7745c5c3_Input.Context
+		if templ_7745c5c3_CtxErr := ctx.Err(); templ_7745c5c3_CtxErr != nil {
+			return templ_7745c5c3_CtxErr
+		}
+		templ_7745c5c3_Buffer, templ_7745c5c3_IsBuffer := templruntime.GetBuffer(templ_7745c5c3_W)
+		if !templ_7745c5c3_IsBuffer {
+			defer func() {
+				templ_7745c5c3_BufErr := templruntime.ReleaseBuffer(templ_7745c5c3_Buffer)
+				if templ_7745c5c3_Err == nil {
+					templ_7745c5c3_Err = templ_7745c5c3_BufErr
+				}
+			}()
+		}
+		ctx = templ.InitializeContext(ctx)
+		templ_7745c5c3_Var5 := templ.GetChildren(ctx)
+		if templ_7745c5c3_Var5 == nil {
+			templ_7745c5c3_Var5 = templ.NopComponent
+		}
+		ctx = templ.ClearChildren(ctx)
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 6, "<div class=\"centered-div\"><img id=\"image\" width=\"256\" src=\"")
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		var templ_7745c5c3_Var6 string
+		templ_7745c5c3_Var6, templ_7745c5c3_Err = templ.JoinStringErrs("/.within.website/x/cmd/anubis/static/img/pensive.webp?cacheBuster=" + anubis.Version)
+		if templ_7745c5c3_Err != nil {
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 140, Col: 121}
+		}
+		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var6))
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 7, "\"> <img style=\"display:none;\" width=\"256\" src=\"")
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		var templ_7745c5c3_Var7 string
+		templ_7745c5c3_Var7, templ_7745c5c3_Err = templ.JoinStringErrs("/.within.website/x/cmd/anubis/static/img/happy.webp?cacheBuster=" + anubis.Version)
+		if templ_7745c5c3_Err != nil {
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 141, Col: 130}
+		}
+		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var7))
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 8, "\"><p id=\"status\">Loading...</p><script async type=\"module\" src=\"")
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		var templ_7745c5c3_Var8 string
+		templ_7745c5c3_Var8, templ_7745c5c3_Err = templ.JoinStringErrs("/.within.website/x/cmd/anubis/static/js/main.mjs?cacheBuster=" + anubis.Version)
+		if templ_7745c5c3_Err != nil {
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 143, Col: 116}
+		}
+		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var8))
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 9, "\"></script><div id=\"spinner\" class=\"lds-roller\"><div></div><div></div><div></div><div></div><div></div><div></div><div></div><div></div></div><noscript><p>Sadly, you must enable JavaScript to get past this challenge. I would love to not have to do this, but god is dead and AI scrapers have destroyed the common good.</p></noscript><div id=\"testarea\"></div></div>")
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		return nil
+	})
+}
+
+func errorPage(message string) templ.Component {
+	return templruntime.GeneratedTemplate(func(templ_7745c5c3_Input templruntime.GeneratedComponentInput) (templ_7745c5c3_Err error) {
+		templ_7745c5c3_W, ctx := templ_7745c5c3_Input.Writer, templ_7745c5c3_Input.Context
+		if templ_7745c5c3_CtxErr := ctx.Err(); templ_7745c5c3_CtxErr != nil {
+			return templ_7745c5c3_CtxErr
+		}
+		templ_7745c5c3_Buffer, templ_7745c5c3_IsBuffer := templruntime.GetBuffer(templ_7745c5c3_W)
+		if !templ_7745c5c3_IsBuffer {
+			defer func() {
+				templ_7745c5c3_BufErr := templruntime.ReleaseBuffer(templ_7745c5c3_Buffer)
+				if templ_7745c5c3_Err == nil {
+					templ_7745c5c3_Err = templ_7745c5c3_BufErr
+				}
+			}()
+		}
+		ctx = templ.InitializeContext(ctx)
+		templ_7745c5c3_Var9 := templ.GetChildren(ctx)
+		if templ_7745c5c3_Var9 == nil {
+			templ_7745c5c3_Var9 = templ.NopComponent
+		}
+		ctx = templ.ClearChildren(ctx)
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 10, "<div class=\"centered-div\"><img id=\"image\" width=\"256\" src=\"")
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		var templ_7745c5c3_Var10 string
+		templ_7745c5c3_Var10, templ_7745c5c3_Err = templ.JoinStringErrs("/.within.website/x/cmd/anubis/static/img/sad.webp?cacheBuster=" + anubis.Version)
+		if templ_7745c5c3_Err != nil {
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 154, Col: 117}
+		}
+		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var10))
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 11, "\"><p>")
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		var templ_7745c5c3_Var11 string
+		templ_7745c5c3_Var11, templ_7745c5c3_Err = templ.JoinStringErrs(message)
+		if templ_7745c5c3_Err != nil {
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 155, Col: 14}
+		}
+		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var11))
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		templ_7745c5c3_Err = templruntime.WriteString(templ_7745c5c3_Buffer, 12, ".</p><button onClick=\"window.location.reload();\">Try again</button><p><a href=\"/\">Go home</a></p></div>")
+		if templ_7745c5c3_Err != nil {
+			return templ_7745c5c3_Err
+		}
+		return nil
+	})
+}
+
+var _ = templruntime.GeneratedTemplate
--- a/cmd/anubis/internal/config/config.go
+++ b/cmd/anubis/internal/config/config.go
@ -0,0 +1,99 @@
+package config
+
+import (
+	"errors"
+	"fmt"
+	"regexp"
+)
+
+type Rule string
+
+const (
+	RuleUnknown   = ""
+	RuleAllow     = "ALLOW"
+	RuleDeny      = "DENY"
+	RuleChallenge = "CHALLENGE"
+)
+
+type Bot struct {
+	Name           string  `json:"name"`
+	UserAgentRegex *string `json:"user_agent_regex"`
+	PathRegex      *string `json:"path_regex"`
+	Action         Rule    `json:"action"`
+}
+
+var (
+	ErrNoBotRulesDefined                 = errors.New("config: must define at least one (1) bot rule")
+	ErrBotMustHaveName                   = errors.New("config.Bot: must set name")
+	ErrBotMustHaveUserAgentOrPath        = errors.New("config.Bot: must set either user_agent_regex, path_regex")
+	ErrBotMustHaveUserAgentOrPathNotBoth = errors.New("config.Bot: must set either user_agent_regex, path_regex, and not both")
+	ErrUnknownAction                     = errors.New("config.Bot: unknown action")
+	ErrInvalidUserAgentRegex             = errors.New("config.Bot: invalid user agent regex")
+	ErrInvalidPathRegex                  = errors.New("config.Bot: invalid path regex")
+)
+
+func (b Bot) Valid() error {
+	var errs []error
+
+	if b.Name == "" {
+		errs = append(errs, ErrBotMustHaveName)
+	}
+
+	if b.UserAgentRegex == nil && b.PathRegex == nil {
+		errs = append(errs, ErrBotMustHaveUserAgentOrPath)
+	}
+
+	if b.UserAgentRegex != nil && b.PathRegex != nil {
+		errs = append(errs, ErrBotMustHaveUserAgentOrPathNotBoth)
+	}
+
+	if b.UserAgentRegex != nil {
+		if _, err := regexp.Compile(*b.UserAgentRegex); err != nil {
+			errs = append(errs, ErrInvalidUserAgentRegex, err)
+		}
+	}
+
+	if b.PathRegex != nil {
+		if _, err := regexp.Compile(*b.PathRegex); err != nil {
+			errs = append(errs, ErrInvalidPathRegex, err)
+		}
+	}
+
+	switch b.Action {
+	case RuleAllow, RuleChallenge, RuleDeny:
+		// okay
+	default:
+		errs = append(errs, fmt.Errorf("%w: %q", ErrUnknownAction, b.Action))
+	}
+
+	if len(errs) != 0 {
+		return fmt.Errorf("config: bot entry for %q is not valid:\n%w", b.Name, errors.Join(errs...))
+	}
+
+	return nil
+}
+
+type Config struct {
+	Bots  []Bot `json:"bots"`
+	DNSBL bool  `json:"dnsbl"`
+}
+
+func (c Config) Valid() error {
+	var errs []error
+
+	if len(c.Bots) == 0 {
+		errs = append(errs, ErrNoBotRulesDefined)
+	}
+
+	for _, b := range c.Bots {
+		if err := b.Valid(); err != nil {
+			errs = append(errs, err)
+		}
+	}
+
+	if len(errs) != 0 {
+		return fmt.Errorf("config is not valid:\n%w", errors.Join(errs...))
+	}
+
+	return nil
+}
--- a/cmd/anubis/internal/config/config_test.go
+++ b/cmd/anubis/internal/config/config_test.go
@ -0,0 +1,168 @@
+package config
+
+import (
+	"encoding/json"
+	"errors"
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+func p[V any](v V) *V { return &v }
+
+func TestBotValid(t *testing.T) {
+	var tests = []struct {
+		name string
+		bot  Bot
+		err  error
+	}{
+		{
+			name: "simple user agent",
+			bot: Bot{
+				Name:           "mozilla-ua",
+				Action:         RuleChallenge,
+				UserAgentRegex: p("Mozilla"),
+			},
+			err: nil,
+		},
+		{
+			name: "simple path",
+			bot: Bot{
+				Name:      "well-known-path",
+				Action:    RuleAllow,
+				PathRegex: p("^/.well-known/.*$"),
+			},
+			err: nil,
+		},
+		{
+			name: "no rule name",
+			bot: Bot{
+				Action:         RuleChallenge,
+				UserAgentRegex: p("Mozilla"),
+			},
+			err: ErrBotMustHaveName,
+		},
+		{
+			name: "no rule matcher",
+			bot: Bot{
+				Name:   "broken-rule",
+				Action: RuleAllow,
+			},
+			err: ErrBotMustHaveUserAgentOrPath,
+		},
+		{
+			name: "both user-agent and path",
+			bot: Bot{
+				Name:           "path-and-user-agent",
+				Action:         RuleDeny,
+				UserAgentRegex: p("Mozilla"),
+				PathRegex:      p("^/.secret-place/.*$"),
+			},
+			err: ErrBotMustHaveUserAgentOrPathNotBoth,
+		},
+		{
+			name: "unknown action",
+			bot: Bot{
+				Name:           "Unknown action",
+				Action:         RuleUnknown,
+				UserAgentRegex: p("Mozilla"),
+			},
+			err: ErrUnknownAction,
+		},
+		{
+			name: "invalid user agent regex",
+			bot: Bot{
+				Name:           "mozilla-ua",
+				Action:         RuleChallenge,
+				UserAgentRegex: p("a(b"),
+			},
+			err: ErrInvalidUserAgentRegex,
+		},
+		{
+			name: "invalid path regex",
+			bot: Bot{
+				Name:      "mozilla-ua",
+				Action:    RuleChallenge,
+				PathRegex: p("a(b"),
+			},
+			err: ErrInvalidPathRegex,
+		},
+	}
+
+	for _, cs := range tests {
+		cs := cs
+		t.Run(cs.name, func(t *testing.T) {
+			err := cs.bot.Valid()
+			if err == nil && cs.err == nil {
+				return
+			}
+
+			if err == nil && cs.err != nil {
+				t.Errorf("didn't get an error, but wanted: %v", cs.err)
+			}
+
+			if !errors.Is(err, cs.err) {
+				t.Logf("got wrong error from Valid()")
+				t.Logf("wanted: %v", cs.err)
+				t.Logf("got:    %v", err)
+				t.Errorf("got invalid error from check")
+			}
+		})
+	}
+}
+
+func TestConfigValidKnownGood(t *testing.T) {
+	finfos, err := os.ReadDir("testdata/good")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	for _, st := range finfos {
+		st := st
+		t.Run(st.Name(), func(t *testing.T) {
+			fin, err := os.Open(filepath.Join("testdata", "good", st.Name()))
+			if err != nil {
+				t.Fatal(err)
+			}
+			defer fin.Close()
+
+			var c Config
+			if err := json.NewDecoder(fin).Decode(&c); err != nil {
+				t.Fatalf("can't decode file: %v", err)
+			}
+
+			if err := c.Valid(); err != nil {
+				t.Fatal(err)
+			}
+		})
+	}
+}
+
+func TestConfigValidBad(t *testing.T) {
+	finfos, err := os.ReadDir("testdata/bad")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	for _, st := range finfos {
+		st := st
+		t.Run(st.Name(), func(t *testing.T) {
+			fin, err := os.Open(filepath.Join("testdata", "bad", st.Name()))
+			if err != nil {
+				t.Fatal(err)
+			}
+			defer fin.Close()
+
+			var c Config
+			if err := json.NewDecoder(fin).Decode(&c); err != nil {
+				t.Fatalf("can't decode file: %v", err)
+			}
+
+			if err := c.Valid(); err == nil {
+				t.Fatal("validation should have failed but didn't somehow")
+			} else {
+				t.Log(err)
+			}
+		})
+	}
+}
--- a/cmd/anubis/internal/config/testdata/bad/badregexes.json
+++ b/cmd/anubis/internal/config/testdata/bad/badregexes.json
@ -0,0 +1,14 @@
+{
+  "bots": [
+    {
+      "name": "path-bad",
+      "path_regex": "a(b",
+      "action": "DENY"
+    },
+    {
+      "name": "user-agent-bad",
+      "user_agent_regex": "a(b",
+      "action": "DENY"
+    }
+  ]
+}
--- a/cmd/anubis/internal/config/testdata/bad/invalid.json
+++ b/cmd/anubis/internal/config/testdata/bad/invalid.json
@ -0,0 +1,5 @@
+{
+  "bots": [
+    {}
+  ]
+}
--- a/cmd/anubis/internal/config/testdata/bad/nobots.json
+++ b/cmd/anubis/internal/config/testdata/bad/nobots.json
@ -0,0 +1 @@
+{}
--- a/cmd/anubis/internal/config/testdata/good/challengemozilla.json
+++ b/cmd/anubis/internal/config/testdata/good/challengemozilla.json
@ -0,0 +1,9 @@
+{
+  "bots": [
+    {
+      "name": "generic-browser",
+      "user_agent_regex": "Mozilla",
+      "action": "CHALLENGE"
+    }
+  ]
+}
--- a/cmd/anubis/internal/config/testdata/good/everything_blocked.json
+++ b/cmd/anubis/internal/config/testdata/good/everything_blocked.json
@ -0,0 +1,10 @@
+{
+  "bots": [
+    {
+      "name": "everything",
+      "user_agent_regex": ".*",
+      "action": "DENY"
+    }
+  ],
+  "dnsbl": false
+}
--- a/cmd/anubis/internal/dnsbl/dnsbl.go
+++ b/cmd/anubis/internal/dnsbl/dnsbl.go
@ -0,0 +1,95 @@
+package dnsbl
+
+import (
+	"errors"
+	"fmt"
+	"net"
+	"strings"
+)
+
+//go:generate go tool golang.org/x/tools/cmd/stringer -type=DroneBLResponse
+
+type DroneBLResponse byte
+
+const (
+	AllGood               DroneBLResponse = 0
+	IRCDrone              DroneBLResponse = 3
+	Bottler               DroneBLResponse = 5
+	UnknownSpambotOrDrone DroneBLResponse = 6
+	DDOSDrone             DroneBLResponse = 7
+	SOCKSProxy            DroneBLResponse = 8
+	HTTPProxy             DroneBLResponse = 9
+	ProxyChain            DroneBLResponse = 10
+	OpenProxy             DroneBLResponse = 11
+	OpenDNSResolver       DroneBLResponse = 12
+	BruteForceAttackers   DroneBLResponse = 13
+	OpenWingateProxy      DroneBLResponse = 14
+	CompromisedRouter     DroneBLResponse = 15
+	AutoRootingWorms      DroneBLResponse = 16
+	AutoDetectedBotIP     DroneBLResponse = 17
+	Unknown               DroneBLResponse = 255
+)
+
+func Reverse(ip net.IP) string {
+	if ip.To4() != nil {
+		return reverse4(ip)
+	}
+
+	return reverse6(ip)
+}
+
+func reverse4(ip net.IP) string {
+	splitAddress := strings.Split(ip.String(), ".")
+
+	// swap first and last octet
+	splitAddress[0], splitAddress[3] = splitAddress[3], splitAddress[0]
+	// swap middle octets
+	splitAddress[1], splitAddress[2] = splitAddress[2], splitAddress[1]
+
+	return strings.Join(splitAddress, ".")
+}
+
+func reverse6(ip net.IP) string {
+	ipBytes := []byte(ip)
+	var sb strings.Builder
+
+	for i := len(ipBytes) - 1; i >= 0; i-- {
+		// Split the byte into two nibbles
+		highNibble := ipBytes[i] >> 4
+		lowNibble := ipBytes[i] & 0x0F
+
+		// Append the nibbles in reversed order
+		sb.WriteString(fmt.Sprintf("%x.%x.", lowNibble, highNibble))
+	}
+
+	return sb.String()[:len(sb.String())-1]
+}
+
+func Lookup(ipStr string) (DroneBLResponse, error) {
+	ip := net.ParseIP(ipStr)
+	if ip == nil {
+		return Unknown, errors.New("dnsbl: input is not an IP address")
+	}
+
+	revIP := Reverse(ip) + ".dnsbl.dronebl.org"
+
+	ips, err := net.LookupIP(revIP)
+	if err != nil {
+		var dnserr *net.DNSError
+		if errors.As(err, &dnserr) {
+			if dnserr.IsNotFound {
+				return AllGood, nil
+			}
+		}
+
+		return Unknown, err
+	}
+
+	if len(ips) != 0 {
+		for _, ip := range ips {
+			return DroneBLResponse(ip.To4()[3]), nil
+		}
+	}
+
+	return UnknownSpambotOrDrone, nil
+}
--- a/cmd/anubis/internal/dnsbl/dnsbl_test.go
+++ b/cmd/anubis/internal/dnsbl/dnsbl_test.go
@ -0,0 +1,55 @@
+package dnsbl
+
+import (
+	"fmt"
+	"net"
+	"testing"
+)
+
+func TestReverse4(t *testing.T) {
+	cases := []struct {
+		inp, out string
+	}{
+		{"1.2.3.4", "4.3.2.1"},
+	}
+
+	for _, cs := range cases {
+		t.Run(fmt.Sprintf("%s->%s", cs.inp, cs.out), func(t *testing.T) {
+			out := reverse4(net.ParseIP(cs.inp))
+
+			if out != cs.out {
+				t.Errorf("wanted %s\ngot:   %s", cs.out, out)
+			}
+		})
+	}
+}
+
+func TestReverse6(t *testing.T) {
+	cases := []struct {
+		inp, out string
+	}{
+		{
+			inp: "1234:5678:9ABC:DEF0:1234:5678:9ABC:DEF0",
+			out: "0.f.e.d.c.b.a.9.8.7.6.5.4.3.2.1.0.f.e.d.c.b.a.9.8.7.6.5.4.3.2.1",
+		},
+	}
+
+	for _, cs := range cases {
+		t.Run(fmt.Sprintf("%s->%s", cs.inp, cs.out), func(t *testing.T) {
+			out := reverse6(net.ParseIP(cs.inp))
+
+			if out != cs.out {
+				t.Errorf("wanted %s, got: %s", cs.out, out)
+			}
+		})
+	}
+}
+
+func TestLookup(t *testing.T) {
+	resp, err := Lookup("27.65.243.194")
+	if err != nil {
+		t.Fatalf("it broked: %v", err)
+	}
+
+	t.Logf("response: %d", resp)
+}
--- a/cmd/anubis/internal/dnsbl/droneblresponse_string.go
+++ b/cmd/anubis/internal/dnsbl/droneblresponse_string.go
@ -0,0 +1,54 @@
+// Code generated by "stringer -type=DroneBLResponse"; DO NOT EDIT.
+
+package dnsbl
+
+import "strconv"
+
+func _() {
+	// An "invalid array index" compiler error signifies that the constant values have changed.
+	// Re-run the stringer command to generate them again.
+	var x [1]struct{}
+	_ = x[AllGood-0]
+	_ = x[IRCDrone-3]
+	_ = x[Bottler-5]
+	_ = x[UnknownSpambotOrDrone-6]
+	_ = x[DDOSDrone-7]
+	_ = x[SOCKSProxy-8]
+	_ = x[HTTPProxy-9]
+	_ = x[ProxyChain-10]
+	_ = x[OpenProxy-11]
+	_ = x[OpenDNSResolver-12]
+	_ = x[BruteForceAttackers-13]
+	_ = x[OpenWingateProxy-14]
+	_ = x[CompromisedRouter-15]
+	_ = x[AutoRootingWorms-16]
+	_ = x[AutoDetectedBotIP-17]
+	_ = x[Unknown-255]
+}
+
+const (
+	_DroneBLResponse_name_0 = "AllGood"
+	_DroneBLResponse_name_1 = "IRCDrone"
+	_DroneBLResponse_name_2 = "BottlerUnknownSpambotOrDroneDDOSDroneSOCKSProxyHTTPProxyProxyChainOpenProxyOpenDNSResolverBruteForceAttackersOpenWingateProxyCompromisedRouterAutoRootingWormsAutoDetectedBotIP"
+	_DroneBLResponse_name_3 = "Unknown"
+)
+
+var (
+	_DroneBLResponse_index_2 = [...]uint8{0, 7, 28, 37, 47, 56, 66, 75, 90, 109, 125, 142, 158, 175}
+)
+
+func (i DroneBLResponse) String() string {
+	switch {
+	case i == 0:
+		return _DroneBLResponse_name_0
+	case i == 3:
+		return _DroneBLResponse_name_1
+	case 5 <= i && i <= 17:
+		i -= 5
+		return _DroneBLResponse_name_2[_DroneBLResponse_index_2[i]:_DroneBLResponse_index_2[i+1]]
+	case i == 255:
+		return _DroneBLResponse_name_3
+	default:
+		return "DroneBLResponse(" + strconv.FormatInt(int64(i), 10) + ")"
+	}
+}
--- a/cmd/anubis/js/main.mjs
+++ b/cmd/anubis/js/main.mjs
@ -0,0 +1,71 @@
+import { process } from './proof-of-work.mjs';
+import { testVideo } from './video.mjs';
+
+// from Xeact
+const u = (url = "", params = {}) => {
+  let result = new URL(url, window.location.href);
+  Object.entries(params).forEach((kv) => {
+    let [k, v] = kv;
+    result.searchParams.set(k, v);
+  });
+  return result.toString();
+};
+
+const imageURL = (mood) => {
+  return `/.within.website/x/cmd/anubis/static/img/${mood}.webp`;
+};
+
+(async () => {
+  const status = document.getElementById('status');
+  const image = document.getElementById('image');
+  const title = document.getElementById('title');
+  const spinner = document.getElementById('spinner');
+  // const testarea = document.getElementById('testarea');
+
+  // const videoWorks = await testVideo(testarea);
+  // console.log(`videoWorks: ${videoWorks}`);
+
+  // if (!videoWorks) {
+  //   title.innerHTML = "Oh no!";
+  //   status.innerHTML = "Checks failed. Please check your browser's settings and try again.";
+  //   image.src = imageURL("sad");
+  //   spinner.innerHTML = "";
+  //   spinner.style.display = "none";
+  //   return;
+  // }
+
+  status.innerHTML = 'Calculating...';
+
+  const { challenge, difficulty } = await fetch("/.within.website/x/cmd/anubis/api/make-challenge", { method: "POST" })
+    .then(r => {
+      if (!r.ok) {
+        throw new Error("Failed to fetch config");
+      }
+      return r.json();
+    })
+    .catch(err => {
+      title.innerHTML = "Oh no!";
+      status.innerHTML = `Failed to fetch config: ${err.message}`;
+      image.src = imageURL("sad");
+      spinner.innerHTML = "";
+      spinner.style.display = "none";
+      throw err;
+    });
+
+  status.innerHTML = `Calculating...<br/>Difficulty: ${difficulty}`;
+
+  const t0 = Date.now();
+  const { hash, nonce } = await process(challenge, difficulty);
+  const t1 = Date.now();
+
+  title.innerHTML = "Success!";
+  status.innerHTML = `Done! Took ${t1 - t0}ms, ${nonce} iterations`;
+  image.src = imageURL("happy");
+  spinner.innerHTML = "";
+  spinner.style.display = "none";
+
+  setTimeout(() => {
+    const redir = window.location.href;
+    window.location.href = u("/.within.website/x/cmd/anubis/api/pass-challenge", { response: hash, nonce, redir, elapsedTime: t1 - t0 });
+  }, 2000);
+})();
--- a/cmd/anubis/js/proof-of-work.mjs
+++ b/cmd/anubis/js/proof-of-work.mjs
@ -0,0 +1,62 @@
+// https://dev.to/ratmd/simple-proof-of-work-in-javascript-3kgm
+
+export function process(data, difficulty = 5) {
+  return new Promise((resolve, reject) => {
+    let webWorkerURL = URL.createObjectURL(new Blob([
+      '(', processTask(), ')()'
+    ], { type: 'application/javascript' }));
+
+    let worker = new Worker(webWorkerURL);
+
+    worker.onmessage = (event) => {
+      worker.terminate();
+      resolve(event.data);
+    };
+
+    worker.onerror = (event) => {
+      worker.terminate();
+      reject();
+    };
+
+    worker.postMessage({
+      data,
+      difficulty
+    });
+
+    URL.revokeObjectURL(webWorkerURL);
+  });
+}
+
+function processTask() {
+  return function () {
+    const sha256 = (text) => {
+      const encoded = new TextEncoder().encode(text);
+      return crypto.subtle.digest("SHA-256", encoded.buffer).then((result) =>
+        Array.from(new Uint8Array(result))
+          .map((c) => c.toString(16).padStart(2, "0"))
+          .join(""),
+      );
+    };
+
+    addEventListener('message', async (event) => {
+      let data = event.data.data;
+      let difficulty = event.data.difficulty;
+
+      let hash;
+      let nonce = 0;
+      do {
+        hash = await sha256(data + nonce++);
+      } while (hash.substring(0, difficulty) !== Array(difficulty + 1).join('0'));
+
+      nonce -= 1; // last nonce was post-incremented
+
+      postMessage({
+        hash,
+        data,
+        difficulty,
+        nonce,
+      });
+    });
+  }.toString();
+}
+
--- a/cmd/anubis/js/video.mjs
+++ b/cmd/anubis/js/video.mjs
@ -0,0 +1,16 @@
+const videoElement = `<video id="videotest" width="0" height="0" src="/.within.website/x/cmd/anubis/static/testdata/black.mp4"></video>`;
+
+export const testVideo = async (testarea) => {
+  testarea.innerHTML = videoElement;
+  return (await new Promise((resolve) => {
+    const video = document.getElementById('videotest');
+    video.oncanplay = () => {
+      testarea.style.display = "none";
+      resolve(true);
+    };
+    video.onerror = (ev) => {
+      testarea.style.display = "none";
+      resolve(false);
+    };
+  }));
+};
--- a/cmd/anubis/main.go
+++ b/cmd/anubis/main.go
@ -0,0 +1,574 @@
+package main
+
+import (
+	"crypto/ed25519"
+	"crypto/rand"
+	"crypto/sha256"
+	"crypto/subtle"
+	"embed"
+	"encoding/hex"
+	"encoding/json"
+	"flag"
+	"fmt"
+	"io"
+	"log"
+	"log/slog"
+	"math"
+	mrand "math/rand"
+	"net/http"
+	"net/http/httputil"
+	"net/url"
+	"os"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/TecharoHQ/anubis"
+	"github.com/TecharoHQ/anubis/cmd/anubis/internal/config"
+	"github.com/TecharoHQ/anubis/cmd/anubis/internal/dnsbl"
+	"github.com/TecharoHQ/anubis/internal"
+	"github.com/TecharoHQ/anubis/xess"
+	"github.com/a-h/templ"
+	"github.com/facebookgo/flagenv"
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/prometheus/client_golang/prometheus/promauto"
+	"github.com/prometheus/client_golang/prometheus/promhttp"
+)
+
+var (
+	bind                = flag.String("bind", ":8923", "TCP port to bind HTTP to")
+	challengeDifficulty = flag.Int("difficulty", 5, "difficulty of the challenge")
+	metricsBind         = flag.String("metrics-bind", ":9090", "TCP port to bind metrics to")
+	robotsTxt           = flag.Bool("serve-robots-txt", false, "serve a robots.txt file that disallows all robots")
+	policyFname         = flag.String("policy-fname", "", "full path to anubis policy document (defaults to a sensible built-in policy)")
+	slogLevel           = flag.String("slog-level", "INFO", "logging level (see https://pkg.go.dev/log/slog#hdr-Levels)")
+	target              = flag.String("target", "http://localhost:3923", "target to reverse proxy to")
+	healthcheck         = flag.Bool("healthcheck", false, "run a health check against Anubis")
+
+	//go:embed static botPolicies.json
+	static embed.FS
+
+	challengesIssued = promauto.NewCounter(prometheus.CounterOpts{
+		Name: "anubis_challenges_issued",
+		Help: "The total number of challenges issued",
+	})
+
+	challengesValidated = promauto.NewCounter(prometheus.CounterOpts{
+		Name: "anubis_challenges_validated",
+		Help: "The total number of challenges validated",
+	})
+
+	droneBLHits = promauto.NewCounterVec(prometheus.CounterOpts{
+		Name: "anubis_dronebl_hits",
+		Help: "The total number of hits from DroneBL",
+	}, []string{"status"})
+
+	failedValidations = promauto.NewCounter(prometheus.CounterOpts{
+		Name: "anubis_failed_validations",
+		Help: "The total number of failed validations",
+	})
+
+	timeTaken = promauto.NewHistogram(prometheus.HistogramOpts{
+		Name:    "anubis_time_taken",
+		Help:    "The time taken for a browser to generate a response (milliseconds)",
+		Buckets: prometheus.ExponentialBucketsRange(1, math.Pow(2, 18), 19),
+	})
+)
+
+const (
+	cookieName = "within.website-x-cmd-anubis-auth"
+	staticPath = "/.within.website/x/cmd/anubis/"
+)
+
+//go:generate go tool github.com/a-h/templ/cmd/templ generate
+//go:generate esbuild js/main.mjs --sourcemap --minify --bundle --outfile=static/js/main.mjs
+//go:generate gzip -f -k static/js/main.mjs
+//go:generate zstd -f -k --ultra -22 static/js/main.mjs
+//go:generate brotli -fZk static/js/main.mjs
+
+func doHealthCheck() error {
+	resp, err := http.Get("http://localhost" + *metricsBind + "/metrics")
+	if err != nil {
+		return fmt.Errorf("failed to fetch metrics: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("unexpected status code: %d", resp.StatusCode)
+	}
+
+	return nil
+}
+
+func main() {
+	flagenv.Parse()
+	flag.Parse()
+
+	internal.InitSlog(*slogLevel)
+
+	if *healthcheck {
+		if err := doHealthCheck(); err != nil {
+			log.Fatal(err)
+		}
+		return
+	}
+
+	s, err := New(*target, *policyFname)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	fmt.Println("Rule error IDs:")
+	for _, rule := range s.policy.Bots {
+		if rule.Action != config.RuleDeny {
+			continue
+		}
+
+		hash, err := rule.Hash()
+		if err != nil {
+			log.Fatalf("can't calculate checksum of rule %s: %v", rule.Name, err)
+		}
+
+		fmt.Printf("* %s: %s\n", rule.Name, hash)
+	}
+	fmt.Println()
+
+	mux := http.NewServeMux()
+	xess.Mount(mux)
+
+	mux.Handle(staticPath, internal.UnchangingCache(http.StripPrefix(staticPath, http.FileServerFS(static))))
+
+	// mux.HandleFunc("GET /.within.website/x/cmd/anubis/static/js/main.mjs", serveMainJSWithBestEncoding)
+
+	mux.HandleFunc("POST /.within.website/x/cmd/anubis/api/make-challenge", s.makeChallenge)
+	mux.HandleFunc("GET /.within.website/x/cmd/anubis/api/pass-challenge", s.passChallenge)
+	mux.HandleFunc("GET /.within.website/x/cmd/anubis/api/test-error", s.testError)
+
+	if *robotsTxt {
+		mux.HandleFunc("/robots.txt", func(w http.ResponseWriter, r *http.Request) {
+			http.ServeFileFS(w, r, static, "static/robots.txt")
+		})
+
+		mux.HandleFunc("/.well-known/robots.txt", func(w http.ResponseWriter, r *http.Request) {
+			http.ServeFileFS(w, r, static, "static/robots.txt")
+		})
+	}
+
+	if *metricsBind != "" {
+		go metricsServer()
+	}
+
+	mux.HandleFunc("/", s.maybeReverseProxy)
+
+	slog.Info("listening", "url", "http://localhost"+*bind, "difficulty", *challengeDifficulty, "serveRobotsTXT", *robotsTxt, "target", *target, "version", anubis.Version)
+	log.Fatal(http.ListenAndServe(*bind, mux))
+}
+
+func metricsServer() {
+	http.DefaultServeMux.Handle("/metrics", promhttp.Handler())
+	slog.Debug("listening for metrics", "url", "http://localhost"+*metricsBind)
+	log.Fatal(http.ListenAndServe(*metricsBind, nil))
+}
+
+func sha256sum(text string) (string, error) {
+	hash := sha256.New()
+	_, err := hash.Write([]byte(text))
+	if err != nil {
+		return "", err
+	}
+	return hex.EncodeToString(hash.Sum(nil)), nil
+}
+
+func (s *Server) challengeFor(r *http.Request) string {
+	fp := sha256.Sum256(s.priv.Seed())
+
+	data := fmt.Sprintf(
+		"Accept-Language=%s,X-Real-IP=%s,User-Agent=%s,WeekTime=%s,Fingerprint=%x,Difficulty=%d",
+		r.Header.Get("Accept-Language"),
+		r.Header.Get("X-Real-Ip"),
+		r.UserAgent(),
+		time.Now().UTC().Round(24*7*time.Hour).Format(time.RFC3339),
+		fp,
+		*challengeDifficulty,
+	)
+	result, _ := sha256sum(data)
+	return result
+}
+
+func New(target, policyFname string) (*Server, error) {
+	u, err := url.Parse(target)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse target URL: %w", err)
+	}
+
+	pub, priv, err := ed25519.GenerateKey(rand.Reader)
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate ed25519 key: %w", err)
+	}
+
+	rp := httputil.NewSingleHostReverseProxy(u)
+
+	var fin io.ReadCloser
+
+	if policyFname != "" {
+		fin, err = os.Open(policyFname)
+		if err != nil {
+			return nil, fmt.Errorf("can't parse policy file %s: %w", policyFname, err)
+		}
+	} else {
+		policyFname = "(static)/botPolicies.json"
+		fin, err = static.Open("botPolicies.json")
+		if err != nil {
+			return nil, fmt.Errorf("[unexpected] can't parse builtin policy file %s: %w", policyFname, err)
+		}
+	}
+
+	defer fin.Close()
+
+	policy, err := parseConfig(fin, policyFname)
+	if err != nil {
+		return nil, err // parseConfig sets a fancy error for us
+	}
+
+	return &Server{
+		rp:         rp,
+		priv:       priv,
+		pub:        pub,
+		policy:     policy,
+		dnsblCache: NewDecayMap[string, dnsbl.DroneBLResponse](),
+	}, nil
+}
+
+type Server struct {
+	rp         *httputil.ReverseProxy
+	priv       ed25519.PrivateKey
+	pub        ed25519.PublicKey
+	policy     *ParsedConfig
+	dnsblCache *DecayMap[string, dnsbl.DroneBLResponse]
+}
+
+func (s *Server) maybeReverseProxy(w http.ResponseWriter, r *http.Request) {
+	cr, rule := s.check(r)
+	r.Header.Add("X-Anubis-Rule", cr.Name)
+	r.Header.Add("X-Anubis-Action", string(cr.Rule))
+	lg := slog.With(
+		"check_result", cr,
+		"user_agent", r.UserAgent(),
+		"accept_language", r.Header.Get("Accept-Language"),
+		"priority", r.Header.Get("Priority"),
+		"x-forwarded-for",
+		r.Header.Get("X-Forwarded-For"),
+		"x-real-ip", r.Header.Get("X-Real-Ip"),
+	)
+	policyApplications.WithLabelValues(cr.Name, string(cr.Rule)).Add(1)
+
+	ip := r.Header.Get("X-Real-Ip")
+
+	if s.policy.DNSBL && ip != "" {
+		resp, ok := s.dnsblCache.Get(ip)
+		if !ok {
+			lg.Debug("looking up ip in dnsbl")
+			resp, err := dnsbl.Lookup(ip)
+			if err != nil {
+				lg.Error("can't look up ip in dnsbl", "err", err)
+			}
+			s.dnsblCache.Set(ip, resp, 24*time.Hour)
+			droneBLHits.WithLabelValues(resp.String()).Inc()
+		}
+
+		if resp != dnsbl.AllGood {
+			lg.Info("DNSBL hit", "status", resp.String())
+			templ.Handler(base("Oh noes!", errorPage(fmt.Sprintf("DroneBL reported an entry: %s, see https://dronebl.org/lookup?ip=%s", resp.String(), ip))), templ.WithStatus(http.StatusOK)).ServeHTTP(w, r)
+			return
+		}
+	}
+
+	switch cr.Rule {
+	case config.RuleAllow:
+		lg.Debug("allowing traffic to origin (explicit)")
+		s.rp.ServeHTTP(w, r)
+		return
+	case config.RuleDeny:
+		clearCookie(w)
+		lg.Info("explicit deny")
+		if rule == nil {
+			lg.Error("rule is nil, cannot calculate checksum")
+			templ.Handler(base("Oh noes!", errorPage("Other internal server error (contact the admin)")), templ.WithStatus(http.StatusInternalServerError)).ServeHTTP(w, r)
+			return
+		}
+		hash, err := rule.Hash()
+		if err != nil {
+			lg.Error("can't calculate checksum of rule", "err", err)
+			templ.Handler(base("Oh noes!", errorPage("Other internal server error (contact the admin)")), templ.WithStatus(http.StatusInternalServerError)).ServeHTTP(w, r)
+			return
+		}
+		lg.Debug("rule hash", "hash", hash)
+		templ.Handler(base("Oh noes!", errorPage(fmt.Sprintf("Access Denied: error code %s", hash))), templ.WithStatus(http.StatusOK)).ServeHTTP(w, r)
+		return
+	case config.RuleChallenge:
+		lg.Debug("challenge requested")
+	default:
+		clearCookie(w)
+		templ.Handler(base("Oh noes!", errorPage("Other internal server error (contact the admin)")), templ.WithStatus(http.StatusInternalServerError)).ServeHTTP(w, r)
+		return
+	}
+
+	ckie, err := r.Cookie(cookieName)
+	if err != nil {
+		lg.Debug("cookie not found", "path", r.URL.Path)
+		clearCookie(w)
+		s.renderIndex(w, r)
+		return
+	}
+
+	if err := ckie.Valid(); err != nil {
+		lg.Debug("cookie is invalid", "err", err)
+		clearCookie(w)
+		s.renderIndex(w, r)
+		return
+	}
+
+	if time.Now().After(ckie.Expires) && !ckie.Expires.IsZero() {
+		lg.Debug("cookie expired", "path", r.URL.Path)
+		clearCookie(w)
+		s.renderIndex(w, r)
+		return
+	}
+
+	token, err := jwt.ParseWithClaims(ckie.Value, jwt.MapClaims{}, func(token *jwt.Token) (interface{}, error) {
+		return s.pub, nil
+	})
+
+	if !token.Valid {
+		lg.Debug("invalid token", "path", r.URL.Path)
+		clearCookie(w)
+		s.renderIndex(w, r)
+		return
+	}
+
+	claims := token.Claims.(jwt.MapClaims)
+
+	exp, ok := claims["exp"].(float64)
+	if !ok {
+		lg.Debug("exp is not int64", "ok", ok, "typeof(exp)", fmt.Sprintf("%T", exp))
+		clearCookie(w)
+		s.renderIndex(w, r)
+		return
+	}
+
+	if exp := time.Unix(int64(exp), 0); time.Now().After(exp) {
+		lg.Debug("token has expired", "exp", exp.Format(time.RFC3339))
+		clearCookie(w)
+		s.renderIndex(w, r)
+		return
+	}
+
+	if token.Valid && randomJitter() {
+		r.Header.Add("X-Anubis-Status", "PASS-BRIEF")
+		lg.Debug("cookie is not enrolled into secondary screening")
+		s.rp.ServeHTTP(w, r)
+		return
+	}
+
+	if claims["challenge"] != s.challengeFor(r) {
+		lg.Debug("invalid challenge", "path", r.URL.Path)
+		clearCookie(w)
+		s.renderIndex(w, r)
+		return
+	}
+
+	var nonce int
+
+	if v, ok := claims["nonce"].(float64); ok {
+		nonce = int(v)
+	}
+
+	calcString := fmt.Sprintf("%s%d", s.challengeFor(r), nonce)
+	calculated, err := sha256sum(calcString)
+	if err != nil {
+		lg.Error("failed to calculate sha256sum", "path", r.URL.Path, "err", err)
+		clearCookie(w)
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	if subtle.ConstantTimeCompare([]byte(claims["response"].(string)), []byte(calculated)) != 1 {
+		lg.Debug("invalid response", "path", r.URL.Path)
+		failedValidations.Inc()
+		clearCookie(w)
+		s.renderIndex(w, r)
+		return
+	}
+
+	slog.Debug("all checks passed")
+	r.Header.Add("X-Anubis-Status", "PASS-FULL")
+	s.rp.ServeHTTP(w, r)
+}
+
+func (s *Server) renderIndex(w http.ResponseWriter, r *http.Request) {
+	templ.Handler(
+		base("Making sure you're not a bot!", index()),
+	).ServeHTTP(w, r)
+}
+
+func (s *Server) makeChallenge(w http.ResponseWriter, r *http.Request) {
+	challenge := s.challengeFor(r)
+	difficulty := *challengeDifficulty
+
+	lg := slog.With("user_agent", r.UserAgent(), "accept_language", r.Header.Get("Accept-Language"), "priority", r.Header.Get("Priority"), "x-forwarded-for", r.Header.Get("X-Forwarded-For"), "x-real-ip", r.Header.Get("X-Real-Ip"))
+
+	json.NewEncoder(w).Encode(struct {
+		Challenge  string `json:"challenge"`
+		Difficulty int    `json:"difficulty"`
+	}{
+		Challenge:  challenge,
+		Difficulty: difficulty,
+	})
+	lg.Debug("made challenge", "challenge", challenge, "difficulty", difficulty)
+	challengesIssued.Inc()
+}
+
+func (s *Server) passChallenge(w http.ResponseWriter, r *http.Request) {
+	lg := slog.With("user_agent", r.UserAgent(), "accept_language", r.Header.Get("Accept-Language"), "priority", r.Header.Get("Priority"), "x-forwarded-for", r.Header.Get("X-Forwarded-For"), "x-real-ip", r.Header.Get("X-Real-Ip"))
+
+	nonceStr := r.FormValue("nonce")
+	if nonceStr == "" {
+		clearCookie(w)
+		lg.Debug("no nonce")
+		templ.Handler(base("Oh noes!", errorPage("missing nonce")), templ.WithStatus(http.StatusInternalServerError)).ServeHTTP(w, r)
+		return
+	}
+
+	elapsedTimeStr := r.FormValue("elapsedTime")
+	if elapsedTimeStr == "" {
+		clearCookie(w)
+		lg.Debug("no elapsedTime")
+		templ.Handler(base("Oh noes!", errorPage("missing elapsedTime")), templ.WithStatus(http.StatusInternalServerError)).ServeHTTP(w, r)
+		return
+	}
+
+	elapsedTime, err := strconv.ParseFloat(elapsedTimeStr, 64)
+	if err != nil {
+		clearCookie(w)
+		lg.Debug("elapsedTime doesn't parse", "err", err)
+		templ.Handler(base("Oh noes!", errorPage("invalid elapsedTime")), templ.WithStatus(http.StatusInternalServerError)).ServeHTTP(w, r)
+		return
+	}
+
+	lg.Info("challenge took", "elapsedTime", elapsedTime)
+	timeTaken.Observe(elapsedTime)
+
+	response := r.FormValue("response")
+	redir := r.FormValue("redir")
+
+	challenge := s.challengeFor(r)
+
+	nonce, err := strconv.Atoi(nonceStr)
+	if err != nil {
+		clearCookie(w)
+		lg.Debug("nonce doesn't parse", "err", err)
+		templ.Handler(base("Oh noes!", errorPage("invalid nonce")), templ.WithStatus(http.StatusInternalServerError)).ServeHTTP(w, r)
+		return
+	}
+
+	calcString := fmt.Sprintf("%s%d", challenge, nonce)
+	calculated, err := sha256sum(calcString)
+	if err != nil {
+		clearCookie(w)
+		lg.Debug("can't parse shasum", "err", err)
+		templ.Handler(base("Oh noes!", errorPage("failed to calculate sha256sum")), templ.WithStatus(http.StatusInternalServerError)).ServeHTTP(w, r)
+		return
+	}
+
+	if subtle.ConstantTimeCompare([]byte(response), []byte(calculated)) != 1 {
+		clearCookie(w)
+		lg.Debug("hash does not match", "got", response, "want", calculated)
+		templ.Handler(base("Oh noes!", errorPage("invalid response")), templ.WithStatus(http.StatusForbidden)).ServeHTTP(w, r)
+		failedValidations.Inc()
+		return
+	}
+
+	// compare the leading zeroes
+	if !strings.HasPrefix(response, strings.Repeat("0", *challengeDifficulty)) {
+		clearCookie(w)
+		lg.Debug("difficulty check failed", "response", response, "difficulty", *challengeDifficulty)
+		templ.Handler(base("Oh noes!", errorPage("invalid response")), templ.WithStatus(http.StatusForbidden)).ServeHTTP(w, r)
+		failedValidations.Inc()
+		return
+	}
+
+	// generate JWT cookie
+	token := jwt.NewWithClaims(jwt.SigningMethodEdDSA, jwt.MapClaims{
+		"challenge": challenge,
+		"nonce":     nonce,
+		"response":  response,
+		"iat":       time.Now().Unix(),
+		"nbf":       time.Now().Add(-1 * time.Minute).Unix(),
+		"exp":       time.Now().Add(24 * 7 * time.Hour).Unix(),
+	})
+	tokenString, err := token.SignedString(s.priv)
+	if err != nil {
+		lg.Error("failed to sign JWT", "err", err)
+		clearCookie(w)
+		templ.Handler(base("Oh noes!", errorPage("failed to sign JWT")), templ.WithStatus(http.StatusInternalServerError)).ServeHTTP(w, r)
+		return
+	}
+
+	http.SetCookie(w, &http.Cookie{
+		Name:     cookieName,
+		Value:    tokenString,
+		Expires:  time.Now().Add(24 * 7 * time.Hour),
+		SameSite: http.SameSiteLaxMode,
+		Path:     "/",
+	})
+
+	challengesValidated.Inc()
+	lg.Debug("challenge passed, redirecting to app")
+	http.Redirect(w, r, redir, http.StatusFound)
+}
+
+func (s *Server) testError(w http.ResponseWriter, r *http.Request) {
+	err := r.FormValue("err")
+	templ.Handler(base("Oh noes!", errorPage(err)), templ.WithStatus(http.StatusInternalServerError)).ServeHTTP(w, r)
+}
+
+func ohNoes(w http.ResponseWriter, r *http.Request, err error) {
+	slog.Error("super fatal error", "err", err)
+	templ.Handler(base("Oh noes!", errorPage("An internal server error happened")), templ.WithStatus(http.StatusInternalServerError)).ServeHTTP(w, r)
+}
+
+func clearCookie(w http.ResponseWriter) {
+	http.SetCookie(w, &http.Cookie{
+		Name:     cookieName,
+		Value:    "",
+		Expires:  time.Now().Add(-1 * time.Hour),
+		MaxAge:   -1,
+		SameSite: http.SameSiteLaxMode,
+	})
+}
+
+func randomJitter() bool {
+	return mrand.Intn(100) > 10
+}
+
+func serveMainJSWithBestEncoding(w http.ResponseWriter, r *http.Request) {
+	priorityList := []string{"zstd", "br", "gzip"}
+	enc2ext := map[string]string{
+		"zstd": "zst",
+		"br":   "br",
+		"gzip": "gz",
+	}
+
+	for _, enc := range priorityList {
+		if strings.Contains(r.Header.Get("Accept-Encoding"), enc) {
+			w.Header().Set("Content-Type", "text/javascript")
+			w.Header().Set("Content-Encoding", enc)
+			http.ServeFileFS(w, r, static, "static/js/main.mjs."+enc2ext[enc])
+			return
+		}
+	}
+
+	w.Header().Set("Content-Type", "text/javascript")
+	http.ServeFileFS(w, r, static, "static/js/main.mjs")
+}
--- a/cmd/anubis/policy.go
+++ b/cmd/anubis/policy.go
@ -0,0 +1,146 @@
+package main
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"log/slog"
+	"net/http"
+	"regexp"
+
+	"github.com/TecharoHQ/anubis/cmd/anubis/internal/config"
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/prometheus/client_golang/prometheus/promauto"
+)
+
+var (
+	policyApplications = promauto.NewCounterVec(prometheus.CounterOpts{
+		Name: "anubis_policy_results",
+		Help: "The results of each policy rule",
+	}, []string{"rule", "action"})
+)
+
+type ParsedConfig struct {
+	orig config.Config
+
+	Bots  []Bot
+	DNSBL bool
+}
+
+type Bot struct {
+	Name      string
+	UserAgent *regexp.Regexp
+	Path      *regexp.Regexp
+	Action    config.Rule `json:"action"`
+}
+
+func (b Bot) Hash() (string, error) {
+	var pathRex string
+	if b.Path != nil {
+		pathRex = b.Path.String()
+	}
+	var userAgentRex string
+	if b.UserAgent != nil {
+		userAgentRex = b.UserAgent.String()
+	}
+
+	return sha256sum(fmt.Sprintf("%s::%s::%s", b.Name, pathRex, userAgentRex))
+}
+
+func parseConfig(fin io.Reader, fname string) (*ParsedConfig, error) {
+	var c config.Config
+	if err := json.NewDecoder(fin).Decode(&c); err != nil {
+		return nil, fmt.Errorf("can't parse policy config JSON %s: %w", fname, err)
+	}
+
+	if err := c.Valid(); err != nil {
+		return nil, err
+	}
+
+	var err error
+
+	result := &ParsedConfig{
+		orig: c,
+	}
+
+	for _, b := range c.Bots {
+		if berr := b.Valid(); berr != nil {
+			err = errors.Join(err, berr)
+			continue
+		}
+
+		var botParseErr error
+		parsedBot := Bot{
+			Name:   b.Name,
+			Action: b.Action,
+		}
+
+		if b.UserAgentRegex != nil {
+			userAgent, err := regexp.Compile(*b.UserAgentRegex)
+			if err != nil {
+				botParseErr = errors.Join(botParseErr, fmt.Errorf("while compiling user agent regexp: %w", err))
+				continue
+			} else {
+				parsedBot.UserAgent = userAgent
+			}
+		}
+
+		if b.PathRegex != nil {
+			path, err := regexp.Compile(*b.PathRegex)
+			if err != nil {
+				botParseErr = errors.Join(botParseErr, fmt.Errorf("while compiling path regexp: %w", err))
+				continue
+			} else {
+				parsedBot.Path = path
+			}
+		}
+
+		result.Bots = append(result.Bots, parsedBot)
+	}
+
+	if err != nil {
+		return nil, fmt.Errorf("errors validating policy config JSON %s: %w", fname, err)
+	}
+
+	result.DNSBL = c.DNSBL
+
+	return result, nil
+}
+
+type CheckResult struct {
+	Name string
+	Rule config.Rule
+}
+
+func (cr CheckResult) LogValue() slog.Value {
+	return slog.GroupValue(
+		slog.String("name", cr.Name),
+		slog.String("rule", string(cr.Rule)))
+}
+
+func cr(name string, rule config.Rule) CheckResult {
+	return CheckResult{
+		Name: name,
+		Rule: rule,
+	}
+}
+
+// Check evaluates the list of rules, and returns the result
+func (s *Server) check(r *http.Request) (CheckResult, *Bot) {
+	for _, b := range s.policy.Bots {
+		if b.UserAgent != nil {
+			if b.UserAgent.MatchString(r.UserAgent()) {
+				return cr("bot/"+b.Name, b.Action), &b
+			}
+		}
+
+		if b.Path != nil {
+			if b.Path.MatchString(r.URL.Path) {
+				return cr("bot/"+b.Name, b.Action), &b
+			}
+		}
+	}
+
+	return cr("default/allow", config.RuleAllow), nil
+}
--- a/cmd/anubis/policy_test.go
+++ b/cmd/anubis/policy_test.go
@ -0,0 +1,65 @@
+package main
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+)
+
+func TestDefaultPolicyMustParse(t *testing.T) {
+	fin, err := static.Open("botPolicies.json")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer fin.Close()
+
+	if _, err := parseConfig(fin, "botPolicies.json"); err != nil {
+		t.Fatalf("can't parse config: %v", err)
+	}
+}
+
+func TestGoodConfigs(t *testing.T) {
+	finfos, err := os.ReadDir("internal/config/testdata/good")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	for _, st := range finfos {
+		st := st
+		t.Run(st.Name(), func(t *testing.T) {
+			fin, err := os.Open(filepath.Join("internal", "config", "testdata", "good", st.Name()))
+			if err != nil {
+				t.Fatal(err)
+			}
+			defer fin.Close()
+
+			if _, err := parseConfig(fin, fin.Name()); err != nil {
+				t.Fatal(err)
+			}
+		})
+	}
+}
+
+func TestBadConfigs(t *testing.T) {
+	finfos, err := os.ReadDir("internal/config/testdata/bad")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	for _, st := range finfos {
+		st := st
+		t.Run(st.Name(), func(t *testing.T) {
+			fin, err := os.Open(filepath.Join("internal", "config", "testdata", "bad", st.Name()))
+			if err != nil {
+				t.Fatal(err)
+			}
+			defer fin.Close()
+
+			if _, err := parseConfig(fin, fin.Name()); err == nil {
+				t.Fatal(err)
+			} else {
+				t.Log(err)
+			}
+		})
+	}
+}
--- a/cmd/anubis/static/img/happy.webp
+++ b/cmd/anubis/static/img/happy.webp
--- a/cmd/anubis/static/img/pensive.webp
+++ b/cmd/anubis/static/img/pensive.webp
--- a/cmd/anubis/static/img/sad.webp
+++ b/cmd/anubis/static/img/sad.webp
--- a/cmd/anubis/static/js/main.mjs
+++ b/cmd/anubis/static/js/main.mjs
@ -0,0 +1,2 @@
+(()=>{function l(n,s=5){return new Promise((i,e)=>{let o=URL.createObjectURL(new Blob(["(",w(),")()"],{type:"application/javascript"})),t=new Worker(o);t.onmessage=r=>{t.terminate(),i(r.data)},t.onerror=r=>{t.terminate(),e()},t.postMessage({data:n,difficulty:s}),URL.revokeObjectURL(o)})}function w(){return function(){let n=s=>{let i=new TextEncoder().encode(s);return crypto.subtle.digest("SHA-256",i.buffer).then(e=>Array.from(new Uint8Array(e)).map(o=>o.toString(16).padStart(2,"0")).join(""))};addEventListener("message",async s=>{let i=s.data.data,e=s.data.difficulty,o,t=0;do o=await n(i+t++);while(o.substring(0,e)!==Array(e+1).join("0"));t-=1,postMessage({hash:o,data:i,difficulty:e,nonce:t})})}.toString()}var h=(n="",s={})=>{let i=new URL(n,window.location.href);return Object.entries(s).forEach(e=>{let[o,t]=e;i.searchParams.set(o,t)}),i.toString()},m=n=>`/.within.website/x/cmd/anubis/static/img/${n}.webp`;(async()=>{let n=document.getElementById("status"),s=document.getElementById("image"),i=document.getElementById("title"),e=document.getElementById("spinner");n.innerHTML="Calculating...";let{challenge:o,difficulty:t}=await fetch("/.within.website/x/cmd/anubis/api/make-challenge",{method:"POST"}).then(a=>{if(!a.ok)throw new Error("Failed to fetch config");return a.json()}).catch(a=>{throw i.innerHTML="Oh no!",n.innerHTML=`Failed to fetch config: ${a.message}`,s.src=m("sad"),e.innerHTML="",e.style.display="none",a});n.innerHTML=`Calculating...<br/>Difficulty: ${t}`;let r=Date.now(),{hash:u,nonce:c}=await l(o,t),d=Date.now();i.innerHTML="Success!",n.innerHTML=`Done! Took ${d-r}ms, ${c} iterations`,s.src=m("happy"),e.innerHTML="",e.style.display="none",setTimeout(()=>{let a=window.location.href;window.location.href=h("/.within.website/x/cmd/anubis/api/pass-challenge",{response:u,nonce:c,redir:a,elapsedTime:d-r})},2e3)})();})();
+//# sourceMappingURL=main.mjs.map
--- a/cmd/anubis/static/js/main.mjs.br
+++ b/cmd/anubis/static/js/main.mjs.br
--- a/cmd/anubis/static/js/main.mjs.gz
+++ b/cmd/anubis/static/js/main.mjs.gz
--- a/cmd/anubis/static/js/main.mjs.map
+++ b/cmd/anubis/static/js/main.mjs.map
@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../js/proof-of-work.mjs", "../../js/main.mjs"],
+  "sourcesContent": ["// https://dev.to/ratmd/simple-proof-of-work-in-javascript-3kgm\n\nexport function process(data, difficulty = 5) {\n  return new Promise((resolve, reject) => {\n    let webWorkerURL = URL.createObjectURL(new Blob([\n      '(', processTask(), ')()'\n    ], { type: 'application/javascript' }));\n\n    let worker = new Worker(webWorkerURL);\n\n    worker.onmessage = (event) => {\n      worker.terminate();\n      resolve(event.data);\n    };\n\n    worker.onerror = (event) => {\n      worker.terminate();\n      reject();\n    };\n\n    worker.postMessage({\n      data,\n      difficulty\n    });\n\n    URL.revokeObjectURL(webWorkerURL);\n  });\n}\n\nfunction processTask() {\n  return function () {\n    const sha256 = (text) => {\n      const encoded = new TextEncoder().encode(text);\n      return crypto.subtle.digest(\"SHA-256\", encoded.buffer).then((result) =>\n        Array.from(new Uint8Array(result))\n          .map((c) => c.toString(16).padStart(2, \"0\"))\n          .join(\"\"),\n      );\n    };\n\n    addEventListener('message', async (event) => {\n      let data = event.data.data;\n      let difficulty = event.data.difficulty;\n\n      let hash;\n      let nonce = 0;\n      do {\n        hash = await sha256(data + nonce++);\n      } while (hash.substring(0, difficulty) !== Array(difficulty + 1).join('0'));\n\n      nonce -= 1; // last nonce was post-incremented\n\n      postMessage({\n        hash,\n        data,\n        difficulty,\n        nonce,\n      });\n    });\n  }.toString();\n}\n\n", "import { process } from './proof-of-work.mjs';\nimport { testVideo } from './video.mjs';\n\n// from Xeact\nconst u = (url = \"\", params = {}) => {\n  let result = new URL(url, window.location.href);\n  Object.entries(params).forEach((kv) => {\n    let [k, v] = kv;\n    result.searchParams.set(k, v);\n  });\n  return result.toString();\n};\n\nconst imageURL = (mood) => {\n  return `/.within.website/x/cmd/anubis/static/img/${mood}.webp`;\n};\n\n(async () => {\n  const status = document.getElementById('status');\n  const image = document.getElementById('image');\n  const title = document.getElementById('title');\n  const spinner = document.getElementById('spinner');\n  // const testarea = document.getElementById('testarea');\n\n  // const videoWorks = await testVideo(testarea);\n  // console.log(`videoWorks: ${videoWorks}`);\n\n  // if (!videoWorks) {\n  //   title.innerHTML = \"Oh no!\";\n  //   status.innerHTML = \"Checks failed. Please check your browser's settings and try again.\";\n  //   image.src = imageURL(\"sad\");\n  //   spinner.innerHTML = \"\";\n  //   spinner.style.display = \"none\";\n  //   return;\n  // }\n\n  status.innerHTML = 'Calculating...';\n\n  const { challenge, difficulty } = await fetch(\"/.within.website/x/cmd/anubis/api/make-challenge\", { method: \"POST\" })\n    .then(r => {\n      if (!r.ok) {\n        throw new Error(\"Failed to fetch config\");\n      }\n      return r.json();\n    })\n    .catch(err => {\n      title.innerHTML = \"Oh no!\";\n      status.innerHTML = `Failed to fetch config: ${err.message}`;\n      image.src = imageURL(\"sad\");\n      spinner.innerHTML = \"\";\n      spinner.style.display = \"none\";\n      throw err;\n    });\n\n  status.innerHTML = `Calculating...<br/>Difficulty: ${difficulty}`;\n\n  const t0 = Date.now();\n  const { hash, nonce } = await process(challenge, difficulty);\n  const t1 = Date.now();\n\n  title.innerHTML = \"Success!\";\n  status.innerHTML = `Done! Took ${t1 - t0}ms, ${nonce} iterations`;\n  image.src = imageURL(\"happy\");\n  spinner.innerHTML = \"\";\n  spinner.style.display = \"none\";\n\n  setTimeout(() => {\n    const redir = window.location.href;\n    window.location.href = u(\"/.within.website/x/cmd/anubis/api/pass-challenge\", { response: hash, nonce, redir, elapsedTime: t1 - t0 });\n  }, 2000);\n})();"],
+  "mappings": "MAEO,SAASA,EAAQC,EAAMC,EAAa,EAAG,CAC5C,OAAO,IAAI,QAAQ,CAACC,EAASC,IAAW,CACtC,IAAIC,EAAe,IAAI,gBAAgB,IAAI,KAAK,CAC9C,IAAKC,EAAY,EAAG,KACtB,EAAG,CAAE,KAAM,wBAAyB,CAAC,CAAC,EAElCC,EAAS,IAAI,OAAOF,CAAY,EAEpCE,EAAO,UAAaC,GAAU,CAC5BD,EAAO,UAAU,EACjBJ,EAAQK,EAAM,IAAI,CACpB,EAEAD,EAAO,QAAWC,GAAU,CAC1BD,EAAO,UAAU,EACjBH,EAAO,CACT,EAEAG,EAAO,YAAY,CACjB,KAAAN,EACA,WAAAC,CACF,CAAC,EAED,IAAI,gBAAgBG,CAAY,CAClC,CAAC,CACH,CAEA,SAASC,GAAc,CACrB,OAAO,UAAY,CACjB,IAAMG,EAAUC,GAAS,CACvB,IAAMC,EAAU,IAAI,YAAY,EAAE,OAAOD,CAAI,EAC7C,OAAO,OAAO,OAAO,OAAO,UAAWC,EAAQ,MAAM,EAAE,KAAMC,GAC3D,MAAM,KAAK,IAAI,WAAWA,CAAM,CAAC,EAC9B,IAAKC,GAAMA,EAAE,SAAS,EAAE,EAAE,SAAS,EAAG,GAAG,CAAC,EAC1C,KAAK,EAAE,CACZ,CACF,EAEA,iBAAiB,UAAW,MAAOL,GAAU,CAC3C,IAAIP,EAAOO,EAAM,KAAK,KAClBN,EAAaM,EAAM,KAAK,WAExBM,EACAC,EAAQ,EACZ,GACED,EAAO,MAAML,EAAOR,EAAOc,GAAO,QAC3BD,EAAK,UAAU,EAAGZ,CAAU,IAAM,MAAMA,EAAa,CAAC,EAAE,KAAK,GAAG,GAEzEa,GAAS,EAET,YAAY,CACV,KAAAD,EACA,KAAAb,EACA,WAAAC,EACA,MAAAa,CACF,CAAC,CACH,CAAC,CACH,EAAE,SAAS,CACb,CCxDA,IAAMC,EAAI,CAACC,EAAM,GAAIC,EAAS,CAAC,IAAM,CACnC,IAAIC,EAAS,IAAI,IAAIF,EAAK,OAAO,SAAS,IAAI,EAC9C,cAAO,QAAQC,CAAM,EAAE,QAASE,GAAO,CACrC,GAAI,CAACC,EAAGC,CAAC,EAAIF,EACbD,EAAO,aAAa,IAAIE,EAAGC,CAAC,CAC9B,CAAC,EACMH,EAAO,SAAS,CACzB,EAEMI,EAAYC,GACT,4CAA4CA,CAAI,SAGxD,SAAY,CACX,IAAMC,EAAS,SAAS,eAAe,QAAQ,EACzCC,EAAQ,SAAS,eAAe,OAAO,EACvCC,EAAQ,SAAS,eAAe,OAAO,EACvCC,EAAU,SAAS,eAAe,SAAS,EAejDH,EAAO,UAAY,iBAEnB,GAAM,CAAE,UAAAI,EAAW,WAAAC,CAAW,EAAI,MAAM,MAAM,mDAAoD,CAAE,OAAQ,MAAO,CAAC,EACjH,KAAKC,GAAK,CACT,GAAI,CAACA,EAAE,GACL,MAAM,IAAI,MAAM,wBAAwB,EAE1C,OAAOA,EAAE,KAAK,CAChB,CAAC,EACA,MAAMC,GAAO,CACZ,MAAAL,EAAM,UAAY,SAClBF,EAAO,UAAY,2BAA2BO,EAAI,OAAO,GACzDN,EAAM,IAAMH,EAAS,KAAK,EAC1BK,EAAQ,UAAY,GACpBA,EAAQ,MAAM,QAAU,OAClBI,CACR,CAAC,EAEHP,EAAO,UAAY,kCAAkCK,CAAU,GAE/D,IAAMG,EAAK,KAAK,IAAI,EACd,CAAE,KAAAC,EAAM,MAAAC,CAAM,EAAI,MAAMC,EAAQP,EAAWC,CAAU,EACrDO,EAAK,KAAK,IAAI,EAEpBV,EAAM,UAAY,WAClBF,EAAO,UAAY,cAAcY,EAAKJ,CAAE,OAAOE,CAAK,cACpDT,EAAM,IAAMH,EAAS,OAAO,EAC5BK,EAAQ,UAAY,GACpBA,EAAQ,MAAM,QAAU,OAExB,WAAW,IAAM,CACf,IAAMU,EAAQ,OAAO,SAAS,KAC9B,OAAO,SAAS,KAAOtB,EAAE,mDAAoD,CAAE,SAAUkB,EAAM,MAAAC,EAAO,MAAAG,EAAO,YAAaD,EAAKJ,CAAG,CAAC,CACrI,EAAG,GAAI,CACT,GAAG",
+  "names": ["process", "data", "difficulty", "resolve", "reject", "webWorkerURL", "processTask", "worker", "event", "sha256", "text", "encoded", "result", "c", "hash", "nonce", "u", "url", "params", "result", "kv", "k", "v", "imageURL", "mood", "status", "image", "title", "spinner", "challenge", "difficulty", "r", "err", "t0", "hash", "nonce", "process", "t1", "redir"]
+}
--- a/cmd/anubis/static/js/main.mjs.zst
+++ b/cmd/anubis/static/js/main.mjs.zst
--- a/cmd/anubis/static/robots.txt
+++ b/cmd/anubis/static/robots.txt
@ -0,0 +1,47 @@
+User-agent: AI2Bot
+User-agent: Ai2Bot-Dolma
+User-agent: Amazonbot
+User-agent: anthropic-ai
+User-agent: Applebot
+User-agent: Applebot-Extended
+User-agent: Bytespider
+User-agent: CCBot
+User-agent: ChatGPT-User
+User-agent: Claude-Web
+User-agent: ClaudeBot
+User-agent: cohere-ai
+User-agent: cohere-training-data-crawler
+User-agent: Diffbot
+User-agent: DuckAssistBot
+User-agent: FacebookBot
+User-agent: FriendlyCrawler
+User-agent: Google-Extended
+User-agent: GoogleOther
+User-agent: GoogleOther-Image
+User-agent: GoogleOther-Video
+User-agent: GPTBot
+User-agent: iaskspider/2.0
+User-agent: ICC-Crawler
+User-agent: ImagesiftBot
+User-agent: img2dataset
+User-agent: ISSCyberRiskCrawler
+User-agent: Kangaroo Bot
+User-agent: Meta-ExternalAgent
+User-agent: Meta-ExternalFetcher
+User-agent: OAI-SearchBot
+User-agent: omgili
+User-agent: omgilibot
+User-agent: PanguBot
+User-agent: PerplexityBot
+User-agent: PetalBot
+User-agent: Scrapy
+User-agent: SemrushBot
+User-agent: Sidetrade indexer bot
+User-agent: Timpibot
+User-agent: VelenPublicWebCrawler
+User-agent: Webzio-Extended
+User-agent: YouBot
+Disallow: /
+
+User-agent: *
+Disallow: /
--- a/cmd/anubis/static/testdata/black.mp4
+++ b/cmd/anubis/static/testdata/black.mp4