Merge branch 'main' into attachments

docs/config.md

@@ -345,6 +345,7 @@ to maintain the client connection and the connection to ntfy.
       worker_connections 40500;
     }
     ```
+
 === "/etc/systemd/system/nginx.service.d/override.conf"
     ```
     # Allow 40,000 proxy connections (2x of the desired ntfy connection count;
@@ -353,6 +354,50 @@ to maintain the client connection and the connection to ntfy.
     LimitNOFILE=40500
     ```
 
+### Banning bad actors (fail2ban)
+If you put stuff on the Internet, bad actors will try to break them or break in. [fail2ban](https://www.fail2ban.org/)
+and nginx's [ngx_http_limit_req_module module](http://nginx.org/en/docs/http/ngx_http_limit_req_module.html) can be used
+to ban client IPs if they misbehave. This is on top of the [rate limiting](#rate-limiting) inside the ntfy server.
+
+Here's an example for how ntfy.sh is configured, following the instructions from two tutorials ([here](https://easyengine.io/tutorials/nginx/fail2ban/) 
+and [here](https://easyengine.io/tutorials/nginx/block-wp-login-php-bruteforce-attack/)):
+
+=== "/etc/nginx/nginx.conf"
+    ```
+    http {
+	  limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
+    }
+    ```
+
+=== "/etc/nginx/sites-enabled/ntfy.sh"
+    ```
+    # For each server/location block
+    server {
+      location / {
+        limit_req zone=one burst=1000 nodelay;
+      }
+    }    
+    ```
+
+=== "/etc/fail2ban/filter.d/nginx-req-limit.conf"
+    ```
+    [Definition]
+    failregex = limiting requests, excess:.* by zone.*client: <HOST>
+    ignoreregex =
+    ```
+
+=== "/etc/fail2ban/jail.local"
+    ```
+    [nginx-req-limit]
+    enabled = true
+    filter = nginx-req-limit
+    action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
+    logpath = /var/log/nginx/error.log
+    findtime = 600
+    bantime = 7200
+    maxretry = 10
+    ```
+
 ## Config options
 Each config option can be set in the config file `/etc/ntfy/server.yml` (e.g. `listen-http: :80`) or as a
 CLI option (e.g. `--listen-http :80`. Here's a list of all available options. Alternatively, you can set an environment

scripts/postinst.sh

@@ -6,7 +6,8 @@ set -e
 #
 # TODO: This is only tested on Debian.
 #
-if [ "$1" = "configure" ] && [ -d /run/systemd/system ]; then
+if [ "$1" = "configure" ] || [ "$1" -ge 1 ]; then
+  if [ -d /run/systemd/system ]; then
     # Create ntfy user/group
     id ntfy >/dev/null 2>&1 || useradd --system --no-create-home ntfy
     chown ntfy.ntfy /var/cache/ntfy
@@ -41,3 +42,4 @@ if [ "$1" = "configure" ] && [ -d /run/systemd/system ]; then
       fi
     fi
   fi
+fi

scripts/postrm.sh

@@ -2,7 +2,7 @@
 set -e
 
 # Delete the config if package is purged
-if [ "$1" = "purge" ]; then
+if [ "$1" = "purge" ] || [ "$1" = "0" ]; then
   id ntfy >/dev/null 2>&1 && userdel ntfy
   rm -f /etc/ntfy/server.yml /etc/ntfy/client.yml
   rmdir /etc/ntfy || true

scripts/preinst.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 set -e
 
-if [ "$1" = "install" ] || [ "$1" = "upgrade" ]; then
+if [ "$1" = "install" ] || [ "$1" = "upgrade" ] || [ "$1" -ge 1 ]; then
   # Migration of old to new config file name
   oldconfigfile="/etc/ntfy/config.yml"
   configfile="/etc/ntfy/server.yml"

scripts/prerm.sh

@@ -2,7 +2,8 @@
 set -e
 
 # Stop systemd service
-if [ -d /run/systemd/system ] && [ "$1" = remove ]; then
+if [ -d /run/systemd/system ]; then
+  if [ "$1" = "remove" ] || [ "$1" = "0" ]; then
     echo "Stopping ntfy.service ..."
     if [ -x /usr/bin/deb-systemd-invoke ]; then
       deb-systemd-invoke stop 'ntfy.service' >/dev/null || true
@@ -10,3 +11,4 @@ if [ -d /run/systemd/system ] && [ "$1" = remove ]; then
       systemctl stop ntfy >/dev/null 2>&1 || true
     fi
   fi
+fi