refactor: split configurations for fail2ban, postgres, and qbittorent into folders

2025-10-24 13:08:13 -05:00 · 2025-10-24 13:08:13 -05:00 · 0f5507c328
commit 0f5507c328
parent ad04be6534
13 changed files with 296 additions and 263 deletions
--- a/modules/nixos-modules/server/fail2ban/default.nix
+++ b/modules/nixos-modules/server/fail2ban/default.nix
@ -0,0 +1,6 @@
+{...}: {
+  imports = [
+    ./fail2ban.nix
+    ./impermanence.nix
+  ];
+}
--- a/modules/nixos-modules/server/fail2ban/fail2ban.nix
+++ b/modules/nixos-modules/server/fail2ban/fail2ban.nix
@ -0,0 +1,51 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}: {
+  config = lib.mkIf config.services.fail2ban.enable {
+    environment.etc = {
+      "fail2ban/filter.d/nginx.local".text = lib.mkIf config.services.nginx.enable (
+        pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
+          [Definition]
+          failregex = "limiting requests, excess:.* by zone.*client: <HOST>"
+        '')
+      );
+    };
+
+    services.fail2ban = {
+      maxretry = 5;
+      ignoreIP = [
+        # Whitelist local networks
+        "10.0.0.0/8"
+        "172.16.0.0/12"
+        "192.168.0.0/16"
+
+        # tail scale tailnet
+        "100.64.0.0/10"
+        "fd7a:115c:a1e0::/48"
+      ];
+      bantime = "24h"; # Ban IPs for one day on the first ban
+      bantime-increment = {
+        enable = true; # Enable increment of bantime after each violation
+        formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
+        maxtime = "168h"; # Do not ban for more than 1 week
+        overalljails = true; # Calculate the ban time based on all the violations
+      };
+      jails = {
+        nginx-iptables.settings = lib.mkIf config.services.nginx.enable {
+          enabled = true;
+          filter = "nginx";
+          action = ''iptables-multiport[name=HTTP, port="http,https"]'';
+          backend = "auto";
+          findtime = 600;
+          bantime = 600;
+          maxretry = 5;
+        };
+        # TODO; figure out if there is any fail2ban things we can do on searx
+        # searx-iptables.settings = lib.mkIf config.services.searx.enable {};
+      };
+    };
+  };
+}
--- a/modules/nixos-modules/server/fail2ban/impermanence.nix
+++ b/modules/nixos-modules/server/fail2ban/impermanence.nix
@ -0,0 +1,27 @@
+{
+  lib,
+  config,
+  ...
+}: let
+  dataFolder = "/var/lib/fail2ban";
+  dataFile = "fail2ban.sqlite3";
+in {
+  config = lib.mkIf (config.services.fail2ban.enable && config.host.impermanence.enable) {
+    assertions = [
+      {
+        assertion = config.services.fail2ban.daemonSettings.Definition.dbfile == "${dataFolder}/${dataFile}";
+        message = "fail2ban data file does not match persistence";
+      }
+    ];
+
+    environment.persistence."/persist/system/root" = {
+      directories = [
+        {
+          directory = dataFolder;
+          user = "fail2ban";
+          group = "fail2ban";
+        }
+      ];
+    };
+  };
+}