jan-leila/nix-config
1
0
Fork 1
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: added per service enable options for fail2ban configs

Browse source
This commit is contained in:
Leyla Becker 2025-10-25 02:37:53 -05:00
parent ecec04a9ce
commit a8af8930fa
4 changed files with 59 additions and 31 deletions
Download patch file Download diff file Expand all files Collapse all files

2
configurations/nixos/defiant/configuration.nix
View file

@ -310,7 +310,7 @@
forgejo = { forgejo = {
enable = true; enable = true;
domain = "git.jan-leila.com"; reverseProxy.domain = "git.jan-leila.com";
}; };
searx = { searx = {

11
modules/nixos-modules/server/forgejo/fail2ban.nix
View file

@ -4,7 +4,16 @@
pkgs, pkgs,
... ...
}: { }: {
config = lib.mkIf (config.services.forgejo.enable && config.services.fail2ban.enable) { options.services.forgejo = {
fail2ban = {
enable = lib.mkOption {
type = lib.types.bool;
default = config.services.forgejo.enable && config.services.fail2ban.enable;
};
};
};
config = lib.mkIf config.services.forgejo.fail2ban.enable {
environment.etc = { environment.etc = {
"fail2ban/filter.d/forgejo.local".text = lib.mkIf config.services.forgejo.enable ( "fail2ban/filter.d/forgejo.local".text = lib.mkIf config.services.forgejo.enable (
pkgs.lib.mkDefault (pkgs.lib.mkAfter '' pkgs.lib.mkDefault (pkgs.lib.mkAfter ''

66
modules/nixos-modules/server/home-assistant/fail2ban.nix
View file

@ -3,36 +3,46 @@
pkgs, pkgs,
config, config,
... ...
}: }: {
lib.mkIf (config.services.fail2ban.enable && config.services.home-assistant.enable) { options.services.home-assistant = {
environment.etc = { fail2ban = {
"fail2ban/filter.d/hass.local".text = ( enable = lib.mkOption {
pkgs.lib.mkDefault (pkgs.lib.mkAfter '' type = lib.types.bool;
[INCLUDES] default = config.services.fail2ban.enable && config.services.home-assistant.enable;
before = common.conf };
};
[Definition]
failregex = ^%(__prefix_line)s.*Login attempt or request with invalid authentication from <HOST>.*$
ignoreregex =
[Init]
datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S
'')
);
}; };
services.fail2ban = { config = lib.mkIf config.services.home-assistant.fail2ban.enable {
jails = { environment.etc = {
home-assistant-iptables.settings = { "fail2ban/filter.d/hass.local".text = (
enabled = true; pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
filter = "hass"; [INCLUDES]
action = ''iptables-multiport[name=HTTP, port="http,https"]''; before = common.conf
logpath = "${config.services.home-assistant.configDir}/*.log";
backend = "auto"; [Definition]
findtime = 600; failregex = ^%(__prefix_line)s.*Login attempt or request with invalid authentication from <HOST>.*$
bantime = 600;
maxretry = 5; ignoreregex =
[Init]
datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S
'')
);
};
services.fail2ban = {
jails = {
home-assistant-iptables.settings = {
enabled = true;
filter = "hass";
action = ''iptables-multiport[name=HTTP, port="http,https"]'';
logpath = "${config.services.home-assistant.configDir}/*.log";
backend = "auto";
findtime = 600;
bantime = 600;
maxretry = 5;
};
}; };
}; };
}; };

11
modules/nixos-modules/server/immich/fail2ban.nix
View file

@ -4,7 +4,16 @@
pkgs, pkgs,
... ...
}: { }: {
config = lib.mkIf (config.services.fail2ban.enable && config.services.immich.enable) { options.services.immich = {
fail2ban = {
enable = lib.mkOption {
type = lib.types.bool;
default = config.services.fail2ban.enable && config.services.immich.enable;
};
};
};
config = lib.mkIf config.services.immich.fail2ban.enable {
environment.etc = { environment.etc = {
"fail2ban/filter.d/immich.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter '' "fail2ban/filter.d/immich.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
[Definition] [Definition]