refactor: moved nixos modules to dendrite pattern

2026-04-07 15:39:45 -05:00 · 2026-04-07 15:39:45 -05:00 · 0ea11e0236
commit 0ea11e0236
parent df8dd110ad
219 changed files with 4802 additions and 4820 deletions
--- a/modules/nixos/programs/fail2ban/default.nix
+++ b/modules/nixos/programs/fail2ban/default.nix
@ -0,0 +1,10 @@
+{config, ...}: let
+  mod = config.flake.nixosModules;
+in {
+  flake.nixosModules.fail2ban = {
+    imports = [
+      mod.fail2ban-service
+      mod.fail2ban-storage
+    ];
+  };
+}
--- a/modules/nixos/programs/fail2ban/fail2ban.nix
+++ b/modules/nixos/programs/fail2ban/fail2ban.nix
@ -0,0 +1,53 @@
+{...}: {
+  flake.nixosModules.fail2ban-service = {
+    lib,
+    pkgs,
+    config,
+    ...
+  }: {
+    config = lib.mkIf config.services.fail2ban.enable {
+      environment.etc = {
+        "fail2ban/filter.d/nginx.local".text = lib.mkIf config.services.nginx.enable (
+          pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
+            [Definition]
+            failregex = "limiting requests, excess:.* by zone.*client: <HOST>"
+          '')
+        );
+      };
+
+      services.fail2ban = {
+        maxretry = 5;
+        ignoreIP = [
+          # Whitelist local networks
+          "10.0.0.0/8"
+          "172.16.0.0/12"
+          "192.168.0.0/16"
+
+          # tail scale tailnet
+          "100.64.0.0/10"
+          "fd7a:115c:a1e0::/48"
+        ];
+        bantime = "24h"; # Ban IPs for one day on the first ban
+        bantime-increment = {
+          enable = true; # Enable increment of bantime after each violation
+          formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
+          maxtime = "168h"; # Do not ban for more than 1 week
+          overalljails = true; # Calculate the ban time based on all the violations
+        };
+        jails = {
+          nginx-iptables.settings = lib.mkIf config.services.nginx.enable {
+            enabled = true;
+            filter = "nginx";
+            action = ''iptables-multiport[name=HTTP, port="http,https"]'';
+            backend = "auto";
+            findtime = 600;
+            bantime = 600;
+            maxretry = 5;
+          };
+          # TODO; figure out if there is any fail2ban things we can do on searx
+          # searx-iptables.settings = lib.mkIf config.services.searx.enable {};
+        };
+      };
+    };
+  };
+}
--- a/modules/nixos/programs/fail2ban/storage.nix
+++ b/modules/nixos/programs/fail2ban/storage.nix
@ -0,0 +1,23 @@
+{...}: {
+  flake.nixosModules.fail2ban-storage = {
+    lib,
+    config,
+    ...
+  }: let
+    dataFolder = "/var/lib/fail2ban";
+  in {
+    options.services.fail2ban.impermanence.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = config.services.fail2ban.enable && config.storage.impermanence.enable;
+    };
+
+    config = lib.mkIf config.services.fail2ban.enable {
+      storage.datasets.replicate."system/root" = {
+        directories."${dataFolder}" = lib.mkIf config.services.fail2ban.impermanence.enable {
+          owner.name = "fail2ban";
+          group.name = "fail2ban";
+        };
+      };
+    };
+  };
+}