fail2ban: ignoreip from local network

update
xmrig: 12 threads
2026-01-27 18:51:08 -05:00 · 2026-01-26 23:09:22 -05:00 · 2026-01-26 17:51:16 -05:00 · 2026-01-26 14:25:25 -05:00 · 2026-01-26 14:15:27 -05:00
5 changed files with 97 additions and 27 deletions
--- a/configuration.nix
+++ b/configuration.nix
@@ -39,6 +39,7 @@
    ./services/bitwarden.nix

    ./services/monero.nix
+    ./services/xmrig.nix

    # KEEP UNTIL 2028
    ./services/caddy_senior_project.nix
--- a/flake.lock
+++ b/flake.lock
@@ -27,11 +27,11 @@
    },
    "crane": {
      "locked": {
-        "lastModified": 1767744144,
-        "narHash": "sha256-9/9ntI0D+HbN4G0TrK3KmHbTvwgswz7p8IEJsWyef8Q=",
+        "lastModified": 1769287525,
+        "narHash": "sha256-gABuYA6BzoRMLuPaeO5p7SLrpd4qExgkwEmYaYQY4bM=",
        "owner": "ipetkov",
        "repo": "crane",
-        "rev": "2fb033290bf6b23f226d4c8b32f7f7a16b043d7e",
+        "rev": "0314e365877a85c9e5758f9ea77a9972afbb4c21",
        "type": "github"
      },
      "original": {
@@ -261,11 +261,11 @@
        "rust-overlay": "rust-overlay"
      },
      "locked": {
-        "lastModified": 1769175598,
-        "narHash": "sha256-xGlAdk2c1mVxOTMzzCYHDYuXaBMoH1BTr2nJOGkY/SQ=",
+        "lastModified": 1769417433,
+        "narHash": "sha256-0WZ7I/N9InaBHL96/qdiJxg8mqFW3vRla8Z062JmQFE=",
        "owner": "nix-community",
        "repo": "lanzaboote",
-        "rev": "1bea6e953d06da77729edd0004291ced527bcb4a",
+        "rev": "1902463415745b992dbaf301b2a35a1277be1584",
        "type": "github"
      },
      "original": {
@@ -298,11 +298,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1769086393,
-        "narHash": "sha256-3ymIZ8s3+hu7sDl/Y48o6bwMxorfKrmn97KuWiw1vjY=",
+        "lastModified": 1769302137,
+        "narHash": "sha256-QEDtctEkOsbx8nlFh4yqPEOtr4tif6KTqWwJ37IM2ds=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "9f7ba891ea5fc3ededd7804f1a23fafadbcb26ca",
+        "rev": "a351494b0e35fd7c0b7a1aae82f0afddf4907aa8",
        "type": "github"
      },
      "original": {
@@ -314,11 +314,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1769089682,
-        "narHash": "sha256-9yA/LIuAVQq0lXelrZPjLuLVuZdm03p8tfmHhnDIkms=",
+        "lastModified": 1769318308,
+        "narHash": "sha256-Mjx6p96Pkefks3+aA+72lu1xVehb6mv2yTUUqmSet6Q=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "078d69f03934859a181e81ba987c2bb033eebfc5",
+        "rev": "1cd347bf3355fce6c64ab37d3967b4a2cb4b878c",
        "type": "github"
      },
      "original": {
@@ -354,11 +354,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1767281941,
-        "narHash": "sha256-6MkqajPICgugsuZ92OMoQcgSHnD6sJHwk8AxvMcIgTE=",
+        "lastModified": 1769069492,
+        "narHash": "sha256-Efs3VUPelRduf3PpfPP2ovEB4CXT7vHf8W+xc49RL/U=",
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
-        "rev": "f0927703b7b1c8d97511c4116eb9b4ec6645a0fa",
+        "rev": "a1ef738813b15cf8ec759bdff5761b027e3e1d23",
        "type": "github"
      },
      "original": {
@@ -394,11 +394,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1768272338,
-        "narHash": "sha256-Tg/kL8eKMpZtceDvBDQYU8zowgpr7ucFRnpP/AtfuRM=",
+        "lastModified": 1769309768,
+        "narHash": "sha256-AbOIlNO+JoqRJkK1VrnDXhxuX6CrdtIu2hSuy4pxi3g=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "03dda130a8701b08b0347fcaf850a190c53a3c1e",
+        "rev": "140c9dc582cb73ada2d63a2180524fcaa744fad5",
        "type": "github"
      },
      "original": {
@@ -431,11 +431,11 @@
    "senior_project-website": {
      "flake": false,
      "locked": {
-        "lastModified": 1768253064,
-        "narHash": "sha256-Lp3k2BhOWo7bYRcGuV0ltgVYr+0+1QCcpuB7kK4pvOE=",
+        "lastModified": 1769471280,
+        "narHash": "sha256-6BADVRSHHwO3NcAua44hagAJTqPNDxEhPjBMehURiHQ=",
        "owner": "Titaniumtown",
        "repo": "senior-project-website",
-        "rev": "f86a1c80c58d1c292b4673e28e892de13fb78a25",
+        "rev": "d6f443ede6c90a049085b4598e438849e19e74f4",
        "type": "github"
      },
      "original": {
@@ -451,11 +451,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1769046412,
-        "narHash": "sha256-LbjKkSB4Nar9pX+AxHs2FGH2ZAFpKWUvr79uyEhFVqc=",
+        "lastModified": 1769398903,
+        "narHash": "sha256-/+blNRtYT7yGRa73cMNdSe4okAUXewxyTkTaIqXCVKE=",
        "owner": "nix-community",
        "repo": "srvos",
-        "rev": "a78abbc16a5352ee848e454c99166c97415fbf39",
+        "rev": "7f3bc435bdcb4856dacc06ca924ee7dad21f3917",
        "type": "github"
      },
      "original": {
@@ -527,11 +527,11 @@
    "trackerlist": {
      "flake": false,
      "locked": {
-        "lastModified": 1769123324,
-        "narHash": "sha256-g40TfMs546p8m16XSwN0xE87hV92/mOkSWDkXvTPlvo=",
+        "lastModified": 1769468910,
+        "narHash": "sha256-vBkmeymF2QhjFgg2EM6iSer9BBEfSucUNG09iRZ1Vp0=",
        "owner": "ngosang",
        "repo": "trackerslist",
-        "rev": "7b512a6935fa5b1cd93bf990887c082512249f01",
+        "rev": "a3f5b299d0e1623652652d58c4d9836e2c4ac1e8",
        "type": "github"
      },
      "original": {
--- a/secrets/xmrig-wallet
+++ b/secrets/xmrig-wallet
--- a/services/caddy.nix
+++ b/services/caddy.nix
@@ -89,6 +89,12 @@ in
      port = "http,https";
      logpath = "/var/log/caddy/access-*.log";
      # defaults: maxretry=5, findtime=10m, bantime=10m
+
+      # Ignore local network IPs - NAT hairpinning causes all LAN traffic to
+      # appear from the router IP (192.168.1.1). Banning it blocks all internal access.
+      # Browser subrequests for static assets (favicon.ico, etc.) without Authorization
+      # headers cause 401s that quickly trigger the ban threshold.
+      ignoreip = "127.0.0.1/8 ::1 192.168.1.0/24";
    };
    filter.Definition = {
      # Match Caddy JSON logs with 401 Unauthorized status (failed basic auth)
--- a/services/xmrig.nix
+++ b/services/xmrig.nix
@@ -0,0 +1,63 @@
+{
+  config,
+  lib,
+  pkgs,
+  hostname,
+  ...
+}:
+let
+  walletAddress = lib.strings.trim (builtins.readFile ../secrets/xmrig-wallet);
+  threadCount = 12;
+in
+{
+  services.xmrig = {
+    enable = true;
+    package = pkgs.xmrig;
+
+    settings = {
+      autosave = true;
+
+      cpu = {
+        enabled = true;
+        huge-pages = true;
+        hw-aes = true;
+        rx = lib.range 0 (threadCount - 1);
+      };
+
+      randomx = {
+        "1gb-pages" = true;
+      };
+
+      opencl = false;
+      cuda = false;
+
+      pools = [
+        {
+          url = "gulf.moneroocean.stream:20128";
+          user = walletAddress;
+          pass = hostname + "~rx/0";
+          keepalive = true;
+          tls = true;
+        }
+      ];
+    };
+  };
+
+  systemd.services.xmrig.serviceConfig = {
+    Nice = 19;
+    CPUSchedulingPolicy = "idle";
+    IOSchedulingClass = "idle";
+  };
+
+  # Stop mining on UPS battery to conserve power
+  services.apcupsd.hooks = lib.mkIf config.services.apcupsd.enable {
+    onbattery = "systemctl stop xmrig";
+    offbattery = "systemctl start xmrig";
+  };
+
+  # Reserve 1GB huge pages for RandomX (dataset is ~2GB)
+  boot.kernelParams = [
+    "hugepagesz=1G"
+    "hugepages=3"
+  ];
+}
Author	SHA1	Message	Date
Simon Gardling	a61fedb015	fail2ban: ignoreip from local network	2026-01-27 18:51:08 -05:00
Simon Gardling	2183ea8363	update	2026-01-26 23:09:22 -05:00
Simon Gardling	27ffe38ed3	xmrig: 12 threads	2026-01-26 17:51:16 -05:00
Simon Gardling	a0e6b8428e	xmrig: 1gb pages	2026-01-26 14:25:25 -05:00
Simon Gardling	0b01fc3f28	xmrig	2026-01-26 14:15:27 -05:00