From 5d8a32892148f53f62a881599649083643dec8a5 Mon Sep 17 00:00:00 2001 From: Joshua Bell Date: Wed, 21 Jan 2026 20:10:15 -0600 Subject: [PATCH] Enable fail2ban and add nginx llm auth logging; update flake.lock --- hosts/oracle/o001/flake.lock | 30 +++++++++++++++--------------- hosts/oracle/o001/nginx.nix | 36 ++++++++++++++++++++++++++++++++++++ 2 files changed, 51 insertions(+), 15 deletions(-) diff --git a/hosts/oracle/o001/flake.lock b/hosts/oracle/o001/flake.lock index e51a36d2..ebcf4242 100644 --- a/hosts/oracle/o001/flake.lock +++ b/hosts/oracle/o001/flake.lock @@ -31,11 +31,11 @@ }, "locked": { "dir": "flakes/beszel", - "lastModified": 1766036507, - "narHash": "sha256-ZFJjJVkWlefIhsJ2vHniBnqqnTCa9qGW3pQOXUU4X1I=", + "lastModified": 1769046854, + "narHash": "sha256-xxEha3Qoe4KQNniPCmg7T44bxbsSKazbttqEy2aqPI0=", "ref": "refs/heads/master", - "rev": "fca1bd9d8f4d7e345b373f69c9d2b40d9fa33f59", - "revCount": 952, + "rev": "eebf3541735e5a2a46ab02ce4ccb76f56d61693b", + "revCount": 1155, "type": "git", "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles" }, @@ -47,11 +47,11 @@ }, "beszel-nixpkgs": { "locked": { - "lastModified": 1765472234, - "narHash": "sha256-9VvC20PJPsleGMewwcWYKGzDIyjckEz8uWmT0vCDYK0=", + "lastModified": 1767379071, + "narHash": "sha256-EgE0pxsrW9jp9YFMkHL9JMXxcqi/OoumPJYwf+Okucw=", "owner": "nixos", "repo": "nixpkgs", - "rev": "2fbfb1d73d239d2402a8fe03963e37aab15abe8b", + "rev": "fb7944c166a3b630f177938e478f0378e64ce108", "type": "github" }, "original": { @@ -64,11 +64,11 @@ "common": { "locked": { "dir": "flakes/common", - "lastModified": 1766036507, - "narHash": "sha256-ZFJjJVkWlefIhsJ2vHniBnqqnTCa9qGW3pQOXUU4X1I=", + "lastModified": 1769046854, + "narHash": "sha256-xxEha3Qoe4KQNniPCmg7T44bxbsSKazbttqEy2aqPI0=", "ref": "refs/heads/master", - "rev": "fca1bd9d8f4d7e345b373f69c9d2b40d9fa33f59", - "revCount": 952, + "rev": "eebf3541735e5a2a46ab02ce4ccb76f56d61693b", + "revCount": 1155, "type": "git", "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles" }, @@ -1258,11 +1258,11 @@ }, "locked": { "dir": "flakes/secrets", - "lastModified": 1766036507, - "narHash": "sha256-ZFJjJVkWlefIhsJ2vHniBnqqnTCa9qGW3pQOXUU4X1I=", + "lastModified": 1769046854, + "narHash": "sha256-xxEha3Qoe4KQNniPCmg7T44bxbsSKazbttqEy2aqPI0=", "ref": "refs/heads/master", - "rev": "fca1bd9d8f4d7e345b373f69c9d2b40d9fa33f59", - "revCount": 952, + "rev": "eebf3541735e5a2a46ab02ce4ccb76f56d61693b", + "revCount": 1155, "type": "git", "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles" }, diff --git a/hosts/oracle/o001/nginx.nix b/hosts/oracle/o001/nginx.nix index fc44d9af..1931f312 100644 --- a/hosts/oracle/o001/nginx.nix +++ b/hosts/oracle/o001/nginx.nix @@ -35,6 +35,11 @@ in recommendedProxySettings = true; recommendedTlsSettings = true; clientMaxBodySize = "500m"; + commonHttpConfig = '' + log_format noauth '$remote_addr - $remote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; + ''; virtualHosts = let tailnetConfig = { @@ -235,6 +240,9 @@ in "llm.joshuabell.xyz" = { enableACME = true; forceSSL = true; + extraConfig = '' + access_log /var/log/nginx/llm.access.log noauth; + ''; locations."/" = { proxyWebsockets = true; proxyPass = "http://100.64.0.13:8095"; @@ -263,6 +271,34 @@ in ''; }; + services.fail2ban = { + enable = true; + maxretry = 5; + bantime = "1h"; + bantime-increment = { + enable = true; + maxtime = "168h"; + factor = "4"; + }; + jails = { + nginx-llm-auth.settings = { + enabled = true; + filter = "nginx-llm-auth"; + backend = "polling"; + logpath = "/var/log/nginx/llm.access.log"; + maxretry = 5; + findtime = "10m"; + bantime = "1h"; + }; + }; + }; + + environment.etc."fail2ban/filter.d/nginx-llm-auth.conf".text = '' + [Definition] + failregex = ^ .* "(GET|POST|PUT|DELETE|PATCH|OPTIONS) .* HTTP/[0-9.]+" 401 + ignoreregex = + ''; + # NOTE Oracle also has security rules that must expose these ports so this alone will not work! See readme networking.firewall.allowedTCPPorts = [ 80 # web http