Commit `279b18652084`

Vincent Demeester <vincent@sbr.pm>

2026-04-13 22:48:17

feat: add home IP push timer on athena

Added systemd timer that resolves the home public IP every 5 minutes and pushes it to carthage for dynamic fail2ban whitelisting via the path unit added earlier.

main

1 parent 012ee67

Changed files (1)

systems

athena

extra.nix

@@ -1,4 +1,5 @@
 {
+  pkgs,
   ...
 }:
 {
@@ -10,6 +11,45 @@
 
   networking.firewall.enable = false;
 
+  # Push home public IP to carthage for fail2ban whitelisting
+  # Carthage has a systemd path unit that watches /var/lib/fail2ban/home-ip.txt
+  # and dynamically updates fail2ban ignoreip when it changes.
+  systemd.services.push-home-ip = {
+    description = "Push home public IP to carthage for fail2ban whitelist";
+    serviceConfig = {
+      Type = "oneshot";
+      User = "vincent";
+      Group = "users";
+    };
+    path = with pkgs; [
+      curl
+      openssh
+      coreutils
+    ];
+    script = ''
+      set -euo pipefail
+      IP=$(curl -sf --max-time 10 https://ifconfig.me || curl -sf --max-time 10 https://icanhazip.com || exit 1)
+      IP=$(echo "$IP" | tr -d '[:space:]')
+      if [ -z "$IP" ]; then
+        echo "Failed to get public IP"
+        exit 1
+      fi
+      echo "Home public IP: $IP"
+      echo "$IP" | ssh -o StrictHostKeyChecking=no -o ConnectTimeout=10 carthage.vpn "cat > /var/lib/fail2ban/home-ip.txt"
+      echo "Pushed IP to carthage"
+    '';
+  };
+
+  systemd.timers.push-home-ip = {
+    description = "Push home public IP to carthage every 5 minutes";
+    wantedBy = [ "timers.target" ];
+    timerConfig = {
+      OnBootSec = "1min";
+      OnUnitActiveSec = "5min";
+      RandomizedDelaySec = "30s";
+    };
+  };
+
   # Age secrets for imapfilter
   age.secrets."icloud-vdemeester-password" = {
     file = ../../secrets/mails/icloud-vdemeester.age;

Commit 279b18652084

Commit `279b18652084`