Configure fail2ban jails and add CUDA overlay for onnx (for immich ml)

Add detailed fail2ban configuration: global settings, immich and
forgejo jails with systemd backend, journalmatch identifiers and
local filter definitions.
Remove standalone services.fail2ban.enable and eliminate unused
TCP port 9000 plus a debug log-level flag in netflow2ng. Add nixpkgs
overlay to
build onnxruntime with cudaSupport.

heimserver/configuration.nix

@@ -35,13 +35,11 @@
   boot.supportedFilesystems = [ "zfs" ];
   boot.zfs.forceImportRoot = false;
 
-
   hardware.graphics.enable = true;
   hardware.nvidia.open = true;
   hardware.nvidia-container-toolkit.enable = true;
   services.xserver.videoDrivers = [ "nvidia" ];
 
-
   # Console and locale
   console = {
     font = "Lat2-Terminus16";
@@ -82,7 +80,6 @@
       2055 # ntopng sink
       8182 # ntopng frontend
       8183 # adguardhome frontend
-      9000
     ];
     firewall.allowedUDPPorts = [
       53
@@ -145,7 +142,6 @@
 
   #services.resolved.enable = true;
 
-  services.fail2ban.enable = true;
   
   services.nginx = {
     enable = true;
@@ -240,7 +236,6 @@
   #     ${lib.getExe cfg.package} admin user create --admin --email "root@localhost" --username crazychaoz --password temp123 || true
   #     '';
 
-
   # services.borgbackup.jobs."forgejo" = {
   #   paths = config.services.forgejo.repositoryRoot;
   #   repo = "/backup/forgejo";
@@ -270,6 +265,60 @@
   };
 
   
+  services.fail2ban = {
+    enable = true;
+
+    # Common global settings
+    maxretry = 3;
+    bantime = "48h";
+
+    jails = {
+      "immich-web-auth" = {
+        settings = {
+          enabled = true;
+          filter = "immich";
+          backend = "systemd"; # Crucial: Reads from journalctl
+          # Optimizes performance by only looking at logs with this identifier
+          # Based on your log: "heimserver immich[...]" -> identifier is "immich"
+          journalmatch = "_SYSTEMD_UNIT=immich-server.service + SYSLOG_IDENTIFIER=immich";
+          action = "iptables-allports";
+          maxretry = 2;
+          findtime = 600;
+        };
+      };
+      "forgejo-auth" = {
+        settings = {
+          enabled = true;
+          filter = "forgejo";
+          backend = "systemd"; # Crucial: Reads from journalctl
+          # Optimizes performance by only looking at logs with this identifier
+          # Based on your log: "heimserver immich[...]" -> identifier is "immich"
+          journalmatch = "_SYSTEMD_UNIT=forgejo.service + SYSLOG_IDENTIFIER=forgejo";
+          action = "iptables-allports";
+          maxretry = 2;
+          findtime = 600;
+        };
+      };
+    };
+  };
+  
+  environment.etc."fail2ban/filter.d/immich.local".text = ''
+    [Definition]
+    # Matches: ... Failed login attempt for user ... from ip address <HOST>
+    # The <HOST> macro automatically grabs the IP at the end
+    failregex = immich.*Failed login attempt for user .* from ip address <HOST>
+
+    ignoreregex =
+  '';
+  environment.etc."fail2ban/filter.d/forgejo.local".text = ''
+    [Definition]
+    # Matches: ... Failed login attempt for user ... from ip address <HOST>
+    # The <HOST> macro automatically grabs the IP at the end
+    failregex = forgejo.*Failed authentication attempt from <HOST>:.*
+
+    ignoreregex =
+  '';
+
   # Virtualisation
   virtualisation = {
     containers.enable = true;
@@ -360,8 +409,6 @@
         "0.0.0.0:8181"
         "-z"
         "tcp://127.0.0.1:5556"
-        "--log-level"
-        "debug"
         "--tlv"
       ];
       extraOptions = [
@@ -404,9 +451,14 @@
     port = 8183;
   };
 
-
   nixpkgs.config.allowUnfree = true;
 
+  nixpkgs.overlays = [
+    (final: prev: {
+      onnxruntime = prev.onnxruntime.override { cudaSupport = true; };
+    })
+  ];
+
   # Nix settings
   nix.settings.experimental-features = [
     "nix-command"