{ config, lib, pkgs, ... }: with lib; { options.features.network.fail2ban.enable = mkOption { type = lib.types.bool; default = false; }; config = mkMerge [ (mkIf config.features.network.fail2ban.enable { environment.systemPackages = [ pkgs.fail2ban ]; services.fail2ban = { enable = true; jails = { }; }; }) # custom defined jails # -------------------- # https://github.com/fail2ban/fail2ban/blob/master/config/jail.conf (mkIf config.features.network.fail2ban.enable { services.fail2ban.jails.nginx-git-not-found.settings = { port = "http,https"; logpath = "%(nginx_error_log)s"; }; environment.etc = { # Defines a filter that detects URL probing by reading the Nginx access log "fail2ban/filter.d/nginx-git-not-found.local".text = '' [Definition] failregex = src_addr="".*response_statu="404".*host="git\.ingolf-wagner\.de" journalmatch = _SYSTEMD_UNIT=nginx.service ''; }; }) (mkIf config.features.network.fail2ban.enable { services.fail2ban.jails.nginx-git-bad-request.settings = { port = "http,https"; logpath = "%(nginx_error_log)s"; }; environment.etc = { # Defines a filter that detects URL probing by reading the Nginx access log "fail2ban/filter.d/nginx-git-bad-request.local".text = '' [Definition] failregex = src_addr="".*response_statu="400".*host="git\.ingolf-wagner\.de" journalmatch = _SYSTEMD_UNIT=nginx.service ''; }; }) ]; }