enable fail2ban instead of sshguard

This commit is contained in:
Ingolf Wagner 2024-06-15 01:17:53 +02:00
parent 03b6ee17c2
commit 470c8d32c7
No known key found for this signature in database
GPG key ID: 76BF5F1928B9618B
3 changed files with 35 additions and 0 deletions

View file

@ -11,6 +11,7 @@ with types;
imports = [
#./avahi.nix
./fail2ban.nix
./hosts.nix
./nginx.nix
./sshd

View file

@ -0,0 +1,31 @@
{ config, lib, pkgs, ... }:
with lib;
{
options.components.network.fail2ban.enable = mkOption {
type = lib.types.bool;
default = false;
};
config = mkIf (config.components.network.fail2ban.enable) {
environment.systemPackages = [ pkgs.fail2ban ];
services.fail2ban = {
enable = true;
# https://github.com/fail2ban/fail2ban/blob/master/config/jail.conf
jails = {
# fixme: can't use, because I changed the nginx log format
#nginx-bad-request.settings = {
# port = "http,https";
# logpath = "%(nginx_error_log)s";
#};
# fixme: can't use, because I changed the nginx log format
#nginx-botsearch.settings = {
# port = "http,https";
# logpath = "%(nginx_error_log)s";
#};
};
};
};
}

View file

@ -41,6 +41,9 @@
components.network.nginx.landingpage.enable = false;
components.network.wifi.enable = false;
components.network.fail2ban.enable = true; # fixme: not really working at the moment
components.network.sshd.sshguard.enable = false;
components.monitor.enable = true;
networking.firewall.interfaces.wg0.allowedTCPPorts = [ 4317 ];
networking.firewall.interfaces.wg0.allowedUDPPorts = [ 4317 ];