Configure fail2ban jails and add CUDA overlay for onnx (for immich ml)

Add detailed fail2ban configuration: global settings, immich and forgejo jails with systemd backend, journalmatch identifiers and local filter definitions. Remove standalone services.fail2ban.enable and eliminate unused TCP port 9000 plus a debug log-level flag in netflow2ng. Add nixpkgs overlay to build onnxruntime with cudaSupport.
2026-01-24 13:17:14 +01:00 · 2026-01-24 13:17:14 +01:00 · 1833e6708d
commit 1833e6708d
parent 53ec023010
1 changed files with 62 additions and 10 deletions
--- a/heimserver/configuration.nix
+++ b/heimserver/configuration.nix
@ -35,13 +35,11 @@
  boot.supportedFilesystems = [ "zfs" ];
  boot.zfs.forceImportRoot = false;

-
  hardware.graphics.enable = true;
  hardware.nvidia.open = true;
  hardware.nvidia-container-toolkit.enable = true;
  services.xserver.videoDrivers = [ "nvidia" ];

-
  # Console and locale
  console = {
    font = "Lat2-Terminus16";
@ -82,7 +80,6 @@
      2055 # ntopng sink
      8182 # ntopng frontend
      8183 # adguardhome frontend
-      9000
    ];
    firewall.allowedUDPPorts = [
      53
@ -145,7 +142,6 @@

  #services.resolved.enable = true;

-  services.fail2ban.enable = true;
  
  services.nginx = {
    enable = true;
@ -240,7 +236,6 @@
  #     ${lib.getExe cfg.package} admin user create --admin --email "root@localhost" --username crazychaoz --password temp123 || true
  #     '';

-
  # services.borgbackup.jobs."forgejo" = {
  #   paths = config.services.forgejo.repositoryRoot;
  #   repo = "/backup/forgejo";
@ -270,6 +265,60 @@
  };

  
+  services.fail2ban = {
+    enable = true;
+
+    # Common global settings
+    maxretry = 3;
+    bantime = "48h";
+
+    jails = {
+      "immich-web-auth" = {
+        settings = {
+          enabled = true;
+          filter = "immich";
+          backend = "systemd"; # Crucial: Reads from journalctl
+          # Optimizes performance by only looking at logs with this identifier
+          # Based on your log: "heimserver immich[...]" -> identifier is "immich"
+          journalmatch = "_SYSTEMD_UNIT=immich-server.service + SYSLOG_IDENTIFIER=immich";
+          action = "iptables-allports";
+          maxretry = 2;
+          findtime = 600;
+        };
+      };
+      "forgejo-auth" = {
+        settings = {
+          enabled = true;
+          filter = "forgejo";
+          backend = "systemd"; # Crucial: Reads from journalctl
+          # Optimizes performance by only looking at logs with this identifier
+          # Based on your log: "heimserver immich[...]" -> identifier is "immich"
+          journalmatch = "_SYSTEMD_UNIT=forgejo.service + SYSLOG_IDENTIFIER=forgejo";
+          action = "iptables-allports";
+          maxretry = 2;
+          findtime = 600;
+        };
+      };
+    };
+  };
+  
+  environment.etc."fail2ban/filter.d/immich.local".text = ''
+    [Definition]
+    # Matches: ... Failed login attempt for user ... from ip address <HOST>
+    # The <HOST> macro automatically grabs the IP at the end
+    failregex = immich.*Failed login attempt for user .* from ip address <HOST>
+
+    ignoreregex =
+  '';
+  environment.etc."fail2ban/filter.d/forgejo.local".text = ''
+    [Definition]
+    # Matches: ... Failed login attempt for user ... from ip address <HOST>
+    # The <HOST> macro automatically grabs the IP at the end
+    failregex = forgejo.*Failed authentication attempt from <HOST>:.*
+
+    ignoreregex =
+  '';
+
  # Virtualisation
  virtualisation = {
    containers.enable = true;
@ -360,8 +409,6 @@
        "0.0.0.0:8181"
        "-z"
        "tcp://127.0.0.1:5556"
-        "--log-level"
-        "debug"
        "--tlv"
      ];
      extraOptions = [
@ -404,9 +451,14 @@
    port = 8183;
  };

-
  nixpkgs.config.allowUnfree = true;

+  nixpkgs.overlays = [
+    (final: prev: {
+      onnxruntime = prev.onnxruntime.override { cudaSupport = true; };
+    })
+  ];
+
  # Nix settings
  nix.settings.experimental-features = [
    "nix-command"