TheWanderingCrow/CrOS
1
0
Fork 0
mirror of https://github.com/TheWanderingCrow/CrOS.git synced 2026-01-11 09:44:08 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

fail2ban

Browse source
This commit is contained in:
TheWanderingCrow 2025-08-20 09:49:03 -04:00
parent 6ad937e428
commit f31d9d3b20
3 changed files with 39 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

2
hosts/nixos/HandlerOne/default.nix
View file

@ -49,6 +49,7 @@
"modules/services/lubelogger" "modules/services/lubelogger"
"modules/services/trilium" "modules/services/trilium"
"modules/services/fail2ban" "modules/services/fail2ban"
"modules/services/ntfy-sh"
"modules/services/ollama/nginx.nix" # Just host the nginx path back to Parzival "modules/services/ollama/nginx.nix" # Just host the nginx path back to Parzival
"modules/services/netbox" "modules/services/netbox"
"modules/services/flamesites" "modules/services/flamesites"
@ -125,6 +126,7 @@
"ta.wanderingcrow.net" = {}; "ta.wanderingcrow.net" = {};
"chat.wanderingcrow.net" = {}; "chat.wanderingcrow.net" = {};
"netbox.wanderingcrow.net" = {}; "netbox.wanderingcrow.net" = {};
"notify.wanderingcrow.net" = {};
# Sites I host for someone else # Sites I host for someone else
"test.swgalaxyproject.com" = {}; "test.swgalaxyproject.com" = {};
"swgalaxyproject.com" = {}; "swgalaxyproject.com" = {};

15
modules/services/fail2ban/default.nix
View file

@ -1,10 +1,15 @@
{pkgs, ...}: { {
inputs,
config,
pkgs,
...
}: {
environment.etc = { environment.etc = {
# Define an action that will trigger a Ntfy push notification upon the issue of every new ban # Define an action that will trigger a Ntfy push notification upon the issue of every new ban
"fail2ban/action.d/ntfy.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter '' "fail2ban/action.d/ntfy.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
[Definition] [Definition]
norestored = true # Needed to avoid receiving a new notification after every restart norestored = true # Needed to avoid receiving a new notification after every restart
actionban = curl -H "Title: <ip> has been banned" -d "<name> jail has banned <ip> from accessing $(hostname) after <failures> attempts of hacking the system." https://ntfy.sh/Fail2banNotifications actionban = curl -H "Title: <ip> has been banned" -d "<name> jail has banned <ip> from accessing ${config.hostSpec.hostName} after <failures> attempts of hacking the system." https://notify.wanderingcrow.net/Fail2banNotifications
''); '');
# Defines a filter that detects URL probing by reading the Nginx access log # Defines a filter that detects URL probing by reading the Nginx access log
"fail2ban/filter.d/nginx-url-probe.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter '' "fail2ban/filter.d/nginx-url-probe.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
@ -14,6 +19,12 @@
}; };
services.fail2ban = { services.fail2ban = {
enable = true; enable = true;
extraPackages = [
pkgs.curl
];
ignoreIP = [
inputs.nix-secrets.network.primary.publicIP
];
jails = { jails = {
nginx-url-probe.settings = { nginx-url-probe.settings = {
enabled = true; enabled = true;

24
modules/services/ntfy-sh/default.nix Normal file
View file

@ -0,0 +1,24 @@
{
services.nginx = {
enable = true;
recommendedProxySettings = true;
virtualHosts = {
"notify.wanderingcrow.net" = {
forceSSL = true;
useACMEHost = "notify.wanderingcrow.net";
locations."/" = {
proxyPass = "http://localhost:9089";
proxyWebsockets = true;
};
};
};
};
services.ntfy-sh = {
enable = true;
settings = {
base-url = "https://notify.wanderingcrow.net";
listen-http = ":9089";
behind-proxy = true;
};
};
}