All good, yea its because I need crowdsec installed on the proxy as well - not just the bouncer - in order to actually send the logs to Opnsense.

I ended up having some weird performance issues so I pulled it all out for now and will revisit another time.

With the bouncer setup, I assume I need to pass in where to look for logs or something for those to be passed into the lapi? I followed this CrowdSec and Nginx Proxy Manager , as far as I can tell everything is connected an running, I have crowdsec running on OpnSense via the plugin - it appears to be healthy as per the CrowdSec Console.

npm  | [nginx       ] nginx: [error] [lua] crowdsec.lua:62: init(): error loading captcha plugin: no recaptcha site key provided, can't use recaptcha       
npm  | [nginx       ] nginx: [error] [lua] ban.lua:37: new(): BAN_TEMPLATE_PATH and REDIRECT_LOCATION variable are empty, will return HTTP 403 for ban decisions
npm  | [nginx       ] nginx: [alert] [lua] crowdsec_openresty.conf:5):11: [Crowdsec] Initialisation done                                                    
npm  | [supervisor  ] starting service 'app'...                                                                                                             
npm  | [app         ] [5/5/2025] [11:26:30 PM] [Global   ] › ℹ  info      Using Sqlite: /data/database.sqlite                                               
npm  | [supervisor  ] all services started.

Cheers, I’ve since discovered that’s is “bouncers” that I want on the endpoints I.e on my Nginx Proxy Manager. I’ll just use the LAPI on the Opnsense box for now I think.

I thought crowdsec does everything fail2ban does in addition to global block lists?

Where did you have it setup? Is your proxy configured to forward the real IP?

Nah, that one conflicts with my IPoAC networks unfortunately :(

I did have that same thought actually, with opening up opnsense to be modified. But I also like the idea of it getting blocked before it even gets into my network, instead if letting it in initially and then blocking afterwards - that’s kinda the whole job of a firewall after all ha ha

Awesome that makes a lot of sense, cheers. So I’ll install the Crowdsec agent on the Nginx Proxy Manager, and potentially also on the servers.

Thanks those links were helpful to get me on the right path. I like that there is a plugin for Opnsense directly and has that central LAPI, because I’d need something similar if I was to use f2b.

ITX is fun to build, but really limits your options and expandability.

For an ITX build make sure you’ve got a CPU with integrated graphics, so you’re not wasting a slot for a GPU. You can also get an internal SATA/RAID card to expand the amount of drives you can have.

I have some alerts like that using Pushover. You can set it to treat high priority alerts like an alarm which bypasses things like do not disturb and silence etc

Oh, that works? That’s some inception level containering right there

That might be a better option really. I might check that out. I kind if wish Proxmox had Docker integration instead of lxc but that’s a different topic.

OK, sweet thanks. I just thought having the media files directly in the ZFS pool (zfs pool > files) instead of ZFS Pool > Qemu img > Files would be smarter

Are you suggesting creating a TrueNAS VM? Wouldn’t that be the same as what I’m doing now with creating an image in the ZFS pool?

Just watched a review. Looks pretty good, they specifically mention Home Assistant as well which is very cool.

Well, the goal would be that its not accessible externally. And I’m OK with providing footage should they request it - that’s just something you have to accept when owning a security system.

Sure, that’s why I put it in quotes. What smart is, is subjective.

I think that’s a reasonable request? An internet connection shouldn’t be necessary.

Sweet. Thanks mate.