fail2ban

2026-01-11 09:44:08 -05:00 · 2025-08-20 09:49:03 -04:00 · 2025-08-20 09:49:03 -04:00 · f31d9d3b20
commit f31d9d3b20
parent 6ad937e428
3 changed files with 39 additions and 2 deletions
--- a/hosts/nixos/HandlerOne/default.nix
+++ b/hosts/nixos/HandlerOne/default.nix
@ -49,6 +49,7 @@
      "modules/services/lubelogger"
      "modules/services/trilium"
      "modules/services/fail2ban"
+      "modules/services/ntfy-sh"
      "modules/services/ollama/nginx.nix" # Just host the nginx path back to Parzival
      "modules/services/netbox"
      "modules/services/flamesites"
@ -125,6 +126,7 @@
      "ta.wanderingcrow.net" = {};
      "chat.wanderingcrow.net" = {};
      "netbox.wanderingcrow.net" = {};
+      "notify.wanderingcrow.net" = {};
      # Sites I host for someone else
      "test.swgalaxyproject.com" = {};
      "swgalaxyproject.com" = {};
--- a/modules/services/fail2ban/default.nix
+++ b/modules/services/fail2ban/default.nix
@ -1,10 +1,15 @@
-{pkgs, ...}: {
+{
+  inputs,
+  config,
+  pkgs,
+  ...
+}: {
  environment.etc = {
    # Define an action that will trigger a Ntfy push notification upon the issue of every new ban
    "fail2ban/action.d/ntfy.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
      [Definition]
      norestored = true # Needed to avoid receiving a new notification after every restart
-      actionban = curl -H "Title: <ip> has been banned" -d "<name> jail has banned <ip> from accessing $(hostname) after <failures> attempts of hacking the system." https://ntfy.sh/Fail2banNotifications
+      actionban = curl -H "Title: <ip> has been banned" -d "<name> jail has banned <ip> from accessing ${config.hostSpec.hostName} after <failures> attempts of hacking the system." https://notify.wanderingcrow.net/Fail2banNotifications
    '');
    # Defines a filter that detects URL probing by reading the Nginx access log
    "fail2ban/filter.d/nginx-url-probe.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
@ -14,6 +19,12 @@
  };
  services.fail2ban = {
    enable = true;
+    extraPackages = [
+      pkgs.curl
+    ];
+    ignoreIP = [
+      inputs.nix-secrets.network.primary.publicIP
+    ];
    jails = {
      nginx-url-probe.settings = {
        enabled = true;
--- a/modules/services/ntfy-sh/default.nix
+++ b/modules/services/ntfy-sh/default.nix
@ -0,0 +1,24 @@
+{
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    virtualHosts = {
+      "notify.wanderingcrow.net" = {
+        forceSSL = true;
+        useACMEHost = "notify.wanderingcrow.net";
+        locations."/" = {
+          proxyPass = "http://localhost:9089";
+          proxyWebsockets = true;
+        };
+      };
+    };
+  };
+  services.ntfy-sh = {
+    enable = true;
+    settings = {
+      base-url = "https://notify.wanderingcrow.net";
+      listen-http = ":9089";
+      behind-proxy = true;
+    };
+  };
+}