add git.ingolf-wagner.de errors

2024-06-15 23:52:21 +02:00 · 2024-06-15 23:52:21 +02:00 · 49b5665f77
commit 49b5665f77
parent 701b55c2fb
1 changed files with 27 additions and 20 deletions
--- a/components/network/fail2ban.nix
+++ b/components/network/fail2ban.nix
@ -6,26 +6,33 @@ with lib;
    default = false;
  };

-  config = mkIf (config.components.network.fail2ban.enable) {
-
-    environment.systemPackages = [ pkgs.fail2ban ];
-
+  config = mkMerge [
+    (mkIf config.components.network.fail2ban.enable {
+      environment.systemPackages = [ pkgs.fail2ban pkgs.ipset ];
      services.fail2ban = {
        enable = true;
-      # https://github.com/fail2ban/fail2ban/blob/master/config/jail.conf
-      jails = {
-        # fixme: can't use, because I changed the nginx log format
-        #nginx-bad-request.settings = {
-        #  port = "http,https";
-        #  logpath = "%(nginx_error_log)s";
-        #};
-        # fixme: can't use, because I changed the nginx log format
-        #nginx-botsearch.settings = {
-        #  port = "http,https";
-        #  logpath = "%(nginx_error_log)s";
-        #};
-      };
+        jails = { };
      };
+    })

+    # custom defined jails
+    # --------------------
+    # https://github.com/fail2ban/fail2ban/blob/master/config/jail.conf
+    (mkIf config.components.network.fail2ban.enable {
+      services.fail2ban.jails.nginx-git-ingolf-wagner-de.settings = {
+        port = "http,https";
+        logpath = "%(nginx_error_log)s";
      };
+      environment.etc = {
+        # Defines a filter that detects URL probing by reading the Nginx access log
+        "fail2ban/filter.d/nginx-git-ingolf-wagner-de.local".text = ''
+          [Definition]
+          failregex = src_addr="<HOST>".*response_statu="404".*host="git\.ingolf-wagner\.de"
+          journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx
+        '';
+      };
+    })
+
+  ];
+
 }