nixos-config/features/network/fail2ban.nix

{ config, lib, pkgs, ... }:
with lib;
{
  options.features.network.fail2ban.enable = mkOption {
    type = lib.types.bool;
    default = false;
  };

  config = mkMerge [
    (mkIf config.features.network.fail2ban.enable {
      environment.systemPackages = [ pkgs.fail2ban ];
      services.fail2ban = {
        enable = true;
        #package = pkgs.legacy_2311.fail2ban;
        jails = { };
      };
    })

    # custom defined jails
    # --------------------
    # https://github.com/fail2ban/fail2ban/blob/master/config/jail.conf
    (mkIf config.features.network.fail2ban.enable {
      services.fail2ban.jails.nginx-git-not-found.settings = {
        port = "http,https";
        logpath = "%(nginx_error_log)s";
      };
      environment.etc = {
        # Defines a filter that detects URL probing by reading the Nginx access log
        "fail2ban/filter.d/nginx-git-not-found.local".text = ''
          [Definition]
          failregex = src_addr="<HOST>".*response_statu="404".*host="git\.ingolf-wagner\.de"
          journalmatch = _SYSTEMD_UNIT=nginx.service
        '';
      };
    })
    (mkIf config.features.network.fail2ban.enable {
      services.fail2ban.jails.nginx-git-bad-request.settings = {
        port = "http,https";
        logpath = "%(nginx_error_log)s";
      };
      environment.etc = {
        # Defines a filter that detects URL probing by reading the Nginx access log
        "fail2ban/filter.d/nginx-git-bad-request.local".text = ''
          [Definition]
          failregex = src_addr="<HOST>".*response_statu="400".*host="git\.ingolf-wagner\.de"
          journalmatch = _SYSTEMD_UNIT=nginx.service
        '';
      };
    })

  ];

}
enable fail2ban instead of sshguard 2024-06-15 01:17:53 +02:00			`{ config, lib, pkgs, ... }:`
			`with lib;`
			`{`
fixing fail2ban and set up ssh + tor on chungus 2024-08-08 19:25:19 +02:00			`options.features.network.fail2ban.enable = mkOption {`
enable fail2ban instead of sshguard 2024-06-15 01:17:53 +02:00			`type = lib.types.bool;`
			`default = false;`
			`};`

add git.ingolf-wagner.de errors 2024-06-15 23:52:21 +02:00			`config = mkMerge [`
fixing fail2ban and set up ssh + tor on chungus 2024-08-08 19:25:19 +02:00			`(mkIf config.features.network.fail2ban.enable {`
			`environment.systemPackages = [ pkgs.fail2ban ];`
add git.ingolf-wagner.de errors 2024-06-15 23:52:21 +02:00			`services.fail2ban = {`
			`enable = true;`
fiddeling around with fail2ban and unlock via ssh 2024-08-02 23:40:57 +02:00			`#package = pkgs.legacy_2311.fail2ban;`
add git.ingolf-wagner.de errors 2024-06-15 23:52:21 +02:00			`jails = { };`
			`};`
			`})`
enable fail2ban instead of sshguard 2024-06-15 01:17:53 +02:00
add git.ingolf-wagner.de errors 2024-06-15 23:52:21 +02:00			`# custom defined jails`
			`# --------------------`
			`# https://github.com/fail2ban/fail2ban/blob/master/config/jail.conf`
fixing fail2ban and set up ssh + tor on chungus 2024-08-08 19:25:19 +02:00			`(mkIf config.features.network.fail2ban.enable {`
add moar fail2ban rules 2024-06-16 00:13:07 +02:00			`services.fail2ban.jails.nginx-git-not-found.settings = {`
add git.ingolf-wagner.de errors 2024-06-15 23:52:21 +02:00			`port = "http,https";`
			`logpath = "%(nginx_error_log)s";`
			`};`
			`environment.etc = {`
			`# Defines a filter that detects URL probing by reading the Nginx access log`
add moar fail2ban rules 2024-06-16 00:13:07 +02:00			`"fail2ban/filter.d/nginx-git-not-found.local".text = ''`
add git.ingolf-wagner.de errors 2024-06-15 23:52:21 +02:00			`[Definition]`
			`failregex = src_addr="<HOST>".response_statu="404".host="git\.ingolf-wagner\.de"`
update fail2ban 2024-06-16 00:20:45 +02:00			`journalmatch = _SYSTEMD_UNIT=nginx.service`
add git.ingolf-wagner.de errors 2024-06-15 23:52:21 +02:00			`'';`
enable fail2ban instead of sshguard 2024-06-15 01:17:53 +02:00			`};`
add git.ingolf-wagner.de errors 2024-06-15 23:52:21 +02:00			`})`
fixing fail2ban and set up ssh + tor on chungus 2024-08-08 19:25:19 +02:00			`(mkIf config.features.network.fail2ban.enable {`
add moar fail2ban rules 2024-06-16 00:13:07 +02:00			`services.fail2ban.jails.nginx-git-bad-request.settings = {`
			`port = "http,https";`
			`logpath = "%(nginx_error_log)s";`
			`};`
			`environment.etc = {`
			`# Defines a filter that detects URL probing by reading the Nginx access log`
			`"fail2ban/filter.d/nginx-git-bad-request.local".text = ''`
			`[Definition]`
			`failregex = src_addr="<HOST>".response_statu="400".host="git\.ingolf-wagner\.de"`
update fail2ban 2024-06-16 00:20:45 +02:00			`journalmatch = _SYSTEMD_UNIT=nginx.service`
add moar fail2ban rules 2024-06-16 00:13:07 +02:00			`'';`
			`};`
			`})`
add git.ingolf-wagner.de errors 2024-06-15 23:52:21 +02:00
			`];`
enable fail2ban instead of sshguard 2024-06-15 01:17:53 +02:00
			`}`