updates

modules/services/caddy/default.nix

@@ -0,0 +1,22 @@
+{ ... }:
+let
+  collaboraPort = "9980";
+  nextcloudPort = "9981";
+  jellyfinPort = "";
+in
+{
+  services.caddy = {
+    enable = true;
+    enableReload = true;
+    email = "jalle008@proton.me";
+    user = "nix-apps";
+    group = "jallen-nas";
+    dataDir = "/media/ssd/nix-app-data/caddy";
+
+    virtualHosts."hass.mjallen.dev".extraConfig = ''
+      reverse_proxy http://10.0.1.183:8126
+    '';
+
+
+  };
+}

modules/services/fail2ban/default.nix

@@ -0,0 +1,97 @@
+{ pkgs, ... }:
+{
+  services.fail2ban = {
+    enable = true;
+   # Ban IP after 5 failures
+    maxretry = 5;
+    ignoreIP = [
+      # Whitelist subnet
+      "10.0.1.0/24"
+      # "8.8.8.8" # whitelist a specific IP
+      # "nixos.wiki" # resolve the IP via DNS
+    ];
+    bantime = "24h"; # Ban IPs for one day on the first ban
+    bantime-increment = {
+      enable = true; # Enable increment of bantime after each violation
+      formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
+      multipliers = "1 2 4 8 16 32 64";
+      maxtime = "168h"; # Do not ban for more than 1 week
+      overalljails = true; # Calculate the bantime based on all the violations
+    };
+    jails = {
+      apache-nohome-iptables.settings = {
+        # Block an IP address if it accesses a non-existent
+        # home directory more than 5 times in 10 minutes,
+        # since that indicates that it's scanning.
+        filter = "apache-nohome";
+        action = ''iptables-multiport[name=HTTP, port="http,https"]'';
+        logpath = "/var/log/httpd/error_log*";
+        backend = "auto";
+        findtime = 600;
+        bantime  = 600;
+        maxretry = 5;
+      };
+
+      ngnix-url-probe.settings = { 
+        enabled = true;
+        filter = "nginx-url-probe";
+        logpath = "/var/log/nginx/access.log";
+        action = ''%(action_)s[blocktype=DROP]
+                 ntfy'';
+        backend = "auto"; # Do not forget to specify this if your jail uses a log file
+        maxretry = 5; 
+        findtime = 600;
+      };
+
+      nginx-http-auth.settings = {
+        enabled = true;
+        filter = "nginx-http-auth";
+        port = "http,https";
+        logpath = "/var/log/httpd/error_log*";
+      };
+
+      nginx-badbots.settings = {
+        enabled = true;
+        filter = "nginx-badbots";
+        port = "http,https";
+        logpath = "/var/log/nginx/access.log";
+        maxretry = 2;
+      };
+
+      nginx-botsearch.settings = {
+        enabled = true;
+        filter = "nginx-botsearch";
+        port = "http,https";
+        logpath = "/var/log/nginx/access.log";
+      };
+
+      nginx-deny.settings = {
+        enabled = true;
+        filter = "nginx-deny";
+        port = "http,https";
+        logpath = "/var/log/nginx/access.log";
+      };
+
+      nginx-unauthorized.settings = {
+        enabled = true;
+        filter = "nginx-unauthorized";
+        port = "http,https";
+        logpath = "/var/log/nginx/access.log";
+      };
+    };
+  };
+
+  environment.etc = {
+    # Define an action that will trigger a Ntfy push notification upon the issue of every new ban
+    # "fail2ban/action.d/ntfy.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
+    #   [Definition]
+    #   norestored = true # Needed to avoid receiving a new notification after every restart
+    #   actionban = curl -H "Title: <ip> has been banned" -d "<name> jail has banned <ip> from accessing $(hostname) after <failures> attempts of hacking the system." https://ntfy.sh/Fail2banNotifications
+    # '');
+    # Defines a filter that detects URL probing by reading the Nginx access log
+    "fail2ban/filter.d/nginx-url-probe.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
+      [Definition]
+      failregex = ^<HOST>.*(GET /(wp-|admin|boaform|phpmyadmin|\.env|\.git)|\.(dll|so|cfm|asp)|(\?|&)(=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000|=PHPE9568F36-D428-11d2-A769-00AA001ACF42|=PHPE9568F35-D428-11d2-A769-00AA001ACF42|=PHPE9568F34-D428-11d2-A769-00AA001ACF42)|\\x[0-9a-zA-Z]{2})
+    '');
+  };
+}

modules/services/jellyfin/default.nix

@@ -0,0 +1,17 @@
+{ pkgs, ... }:
+{
+  services.jellyfin = {
+    enable = true;
+    openFirewall = true;
+    user = "nix-apps";
+    group = "jallen-nas";
+    dataDir = "/media/nas/ssd/nix-app-data/jellyfin/data";
+    configDir = "/media/nas/ssd/nix-app-data/jellyfin/config";
+  };
+
+  environment.systemPackages = [
+    pkgs.jellyfin
+    pkgs.jellyfin-web
+    pkgs.jellyfin-ffmpeg
+  ];
+}