diff --git a/heimserver/configuration.nix b/heimserver/configuration.nix index 7a32556..e9a43fb 100644 --- a/heimserver/configuration.nix +++ b/heimserver/configuration.nix @@ -35,13 +35,11 @@ boot.supportedFilesystems = [ "zfs" ]; boot.zfs.forceImportRoot = false; - hardware.graphics.enable = true; - hardware.nvidia.open = true; + hardware.nvidia.open = true; hardware.nvidia-container-toolkit.enable = true; services.xserver.videoDrivers = [ "nvidia" ]; - # Console and locale console = { font = "Lat2-Terminus16"; @@ -82,7 +80,6 @@ 2055 # ntopng sink 8182 # ntopng frontend 8183 # adguardhome frontend - 9000 ]; firewall.allowedUDPPorts = [ 53 @@ -145,8 +142,7 @@ #services.resolved.enable = true; - services.fail2ban.enable = true; - + services.nginx = { enable = true; recommendedTlsSettings = true; @@ -240,7 +236,6 @@ # ${lib.getExe cfg.package} admin user create --admin --email "root@localhost" --username crazychaoz --password temp123 || true # ''; - # services.borgbackup.jobs."forgejo" = { # paths = config.services.forgejo.repositoryRoot; # repo = "/backup/forgejo"; @@ -269,6 +264,60 @@ }; }; + + services.fail2ban = { + enable = true; + + # Common global settings + maxretry = 3; + bantime = "48h"; + + jails = { + "immich-web-auth" = { + settings = { + enabled = true; + filter = "immich"; + backend = "systemd"; # Crucial: Reads from journalctl + # Optimizes performance by only looking at logs with this identifier + # Based on your log: "heimserver immich[...]" -> identifier is "immich" + journalmatch = "_SYSTEMD_UNIT=immich-server.service + SYSLOG_IDENTIFIER=immich"; + action = "iptables-allports"; + maxretry = 2; + findtime = 600; + }; + }; + "forgejo-auth" = { + settings = { + enabled = true; + filter = "forgejo"; + backend = "systemd"; # Crucial: Reads from journalctl + # Optimizes performance by only looking at logs with this identifier + # Based on your log: "heimserver immich[...]" -> identifier is "immich" + journalmatch = "_SYSTEMD_UNIT=forgejo.service + SYSLOG_IDENTIFIER=forgejo"; + action = "iptables-allports"; + maxretry = 2; + findtime = 600; + }; + }; + }; + }; + + environment.etc."fail2ban/filter.d/immich.local".text = '' + [Definition] + # Matches: ... Failed login attempt for user ... from ip address + # The macro automatically grabs the IP at the end + failregex = immich.*Failed login attempt for user .* from ip address + + ignoreregex = + ''; + environment.etc."fail2ban/filter.d/forgejo.local".text = '' + [Definition] + # Matches: ... Failed login attempt for user ... from ip address + # The macro automatically grabs the IP at the end + failregex = forgejo.*Failed authentication attempt from :.* + + ignoreregex = + ''; # Virtualisation virtualisation = { @@ -360,8 +409,6 @@ "0.0.0.0:8181" "-z" "tcp://127.0.0.1:5556" - "--log-level" - "debug" "--tlv" ]; extraOptions = [ @@ -404,9 +451,14 @@ port = 8183; }; - nixpkgs.config.allowUnfree = true; + nixpkgs.overlays = [ + (final: prev: { + onnxruntime = prev.onnxruntime.override { cudaSupport = true; }; + }) + ]; + # Nix settings nix.settings.experimental-features = [ "nix-command"