nixos-config/components/network/fail2ban.nix

{ config, lib, pkgs, ... }:
with lib;
{
  options.components.network.fail2ban.enable = mkOption {
    type = lib.types.bool;
    default = false;
  };

  config = mkMerge [
    (mkIf config.components.network.fail2ban.enable {
      environment.systemPackages = [ pkgs.fail2ban pkgs.ipset ];
      services.fail2ban = {
        enable = true;
        jails = { };
      };
    })

    # custom defined jails
    # --------------------
    # https://github.com/fail2ban/fail2ban/blob/master/config/jail.conf
    (mkIf config.components.network.fail2ban.enable {
      services.fail2ban.jails.nginx-git-not-found.settings = {
        port = "http,https";
        logpath = "%(nginx_error_log)s";
      };
      environment.etc = {
        # Defines a filter that detects URL probing by reading the Nginx access log
        "fail2ban/filter.d/nginx-git-not-found.local".text = ''
          [Definition]
          failregex = src_addr="<HOST>".*response_statu="404".*host="git\.ingolf-wagner\.de"
          journalmatch = _SYSTEMD_UNIT=nginx.service
        '';
      };
    })
    (mkIf config.components.network.fail2ban.enable {
      services.fail2ban.jails.nginx-git-bad-request.settings = {
        port = "http,https";
        logpath = "%(nginx_error_log)s";
      };
      environment.etc = {
        # Defines a filter that detects URL probing by reading the Nginx access log
        "fail2ban/filter.d/nginx-git-bad-request.local".text = ''
          [Definition]
          failregex = src_addr="<HOST>".*response_statu="400".*host="git\.ingolf-wagner\.de"
          journalmatch = _SYSTEMD_UNIT=nginx.service
        '';
      };
    })

  ];

}