ringofstorms/dotfiles
ringofstorms/dotfiles
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Enable fail2ban and add nginx llm auth logging; update flake.lock

Browse source
This commit is contained in:
Joshua Bell 2026-01-21 20:10:15 -06:00
parent cf834b9f40
commit 5d8a328921
2 changed files with 51 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

30
hosts/oracle/o001/flake.lock generated
View file

@ -31,11 +31,11 @@
},
"locked": {
"dir": "flakes/beszel",
"lastModified": 1766036507,
"narHash": "sha256-ZFJjJVkWlefIhsJ2vHniBnqqnTCa9qGW3pQOXUU4X1I=",
"lastModified": 1769046854,
"narHash": "sha256-xxEha3Qoe4KQNniPCmg7T44bxbsSKazbttqEy2aqPI0=",
"ref": "refs/heads/master",
"rev": "fca1bd9d8f4d7e345b373f69c9d2b40d9fa33f59",
"revCount": 952,
"rev": "eebf3541735e5a2a46ab02ce4ccb76f56d61693b",
"revCount": 1155,
"type": "git",
"url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
},
@ -47,11 +47,11 @@
},
"beszel-nixpkgs": {
"locked": {
"lastModified": 1765472234,
"narHash": "sha256-9VvC20PJPsleGMewwcWYKGzDIyjckEz8uWmT0vCDYK0=",
"lastModified": 1767379071,
"narHash": "sha256-EgE0pxsrW9jp9YFMkHL9JMXxcqi/OoumPJYwf+Okucw=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "2fbfb1d73d239d2402a8fe03963e37aab15abe8b",
"rev": "fb7944c166a3b630f177938e478f0378e64ce108",
"type": "github"
},
"original": {
@ -64,11 +64,11 @@
"common": {
"locked": {
"dir": "flakes/common",
"lastModified": 1766036507,
"narHash": "sha256-ZFJjJVkWlefIhsJ2vHniBnqqnTCa9qGW3pQOXUU4X1I=",
"lastModified": 1769046854,
"narHash": "sha256-xxEha3Qoe4KQNniPCmg7T44bxbsSKazbttqEy2aqPI0=",
"ref": "refs/heads/master",
"rev": "fca1bd9d8f4d7e345b373f69c9d2b40d9fa33f59",
"revCount": 952,
"rev": "eebf3541735e5a2a46ab02ce4ccb76f56d61693b",
"revCount": 1155,
"type": "git",
"url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
},
@ -1258,11 +1258,11 @@
},
"locked": {
"dir": "flakes/secrets",
"lastModified": 1766036507,
"narHash": "sha256-ZFJjJVkWlefIhsJ2vHniBnqqnTCa9qGW3pQOXUU4X1I=",
"lastModified": 1769046854,
"narHash": "sha256-xxEha3Qoe4KQNniPCmg7T44bxbsSKazbttqEy2aqPI0=",
"ref": "refs/heads/master",
"rev": "fca1bd9d8f4d7e345b373f69c9d2b40d9fa33f59",
"revCount": 952,
"rev": "eebf3541735e5a2a46ab02ce4ccb76f56d61693b",
"revCount": 1155,
"type": "git",
"url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
},

36
hosts/oracle/o001/nginx.nix
View file

@ -35,6 +35,11 @@ in
recommendedProxySettings = true;
recommendedTlsSettings = true;
clientMaxBodySize = "500m";
commonHttpConfig = ''
log_format noauth '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
'';
virtualHosts =
let
tailnetConfig = {
@ -235,6 +240,9 @@ in
"llm.joshuabell.xyz" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
access_log /var/log/nginx/llm.access.log noauth;
'';
locations."/" = {
proxyWebsockets = true;
proxyPass = "http://100.64.0.13:8095";
@ -263,6 +271,34 @@ in
'';
};
services.fail2ban = {
enable = true;
maxretry = 5;
bantime = "1h";
bantime-increment = {
enable = true;
maxtime = "168h";
factor = "4";
};
jails = {
nginx-llm-auth.settings = {
enabled = true;
filter = "nginx-llm-auth";
backend = "polling";
logpath = "/var/log/nginx/llm.access.log";
maxretry = 5;
findtime = "10m";
bantime = "1h";
};
};
};
environment.etc."fail2ban/filter.d/nginx-llm-auth.conf".text = ''
[Definition]
failregex = ^<HOST> .* "(GET|POST|PUT|DELETE|PATCH|OPTIONS) .* HTTP/[0-9.]+" 401
ignoreregex =
'';
# NOTE Oracle also has security rules that must expose these ports so this alone will not work! See readme
networking.firewall.allowedTCPPorts = [
80 # web http