diff --git a/components/network/fail2ban.nix b/components/network/fail2ban.nix index 0b4b671..aa2231f 100644 --- a/components/network/fail2ban.nix +++ b/components/network/fail2ban.nix @@ -6,26 +6,33 @@ with lib; default = false; }; - config = mkIf (config.components.network.fail2ban.enable) { - - environment.systemPackages = [ pkgs.fail2ban ]; - - services.fail2ban = { - enable = true; - # https://github.com/fail2ban/fail2ban/blob/master/config/jail.conf - jails = { - # fixme: can't use, because I changed the nginx log format - #nginx-bad-request.settings = { - # port = "http,https"; - # logpath = "%(nginx_error_log)s"; - #}; - # fixme: can't use, because I changed the nginx log format - #nginx-botsearch.settings = { - # port = "http,https"; - # logpath = "%(nginx_error_log)s"; - #}; + config = mkMerge [ + (mkIf config.components.network.fail2ban.enable { + environment.systemPackages = [ pkgs.fail2ban pkgs.ipset ]; + services.fail2ban = { + enable = true; + jails = { }; }; - }; + }) + + # custom defined jails + # -------------------- + # https://github.com/fail2ban/fail2ban/blob/master/config/jail.conf + (mkIf config.components.network.fail2ban.enable { + services.fail2ban.jails.nginx-git-ingolf-wagner-de.settings = { + port = "http,https"; + logpath = "%(nginx_error_log)s"; + }; + environment.etc = { + # Defines a filter that detects URL probing by reading the Nginx access log + "fail2ban/filter.d/nginx-git-ingolf-wagner-de.local".text = '' + [Definition] + failregex = src_addr="".*response_statu="404".*host="git\.ingolf-wagner\.de" + journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx + ''; + }; + }) + + ]; - }; }