diff --git a/modules/nixos-modules/server/fail2ban.nix b/modules/nixos-modules/server/fail2ban.nix index f410aeb..6fdfd6a 100644 --- a/modules/nixos-modules/server/fail2ban.nix +++ b/modules/nixos-modules/server/fail2ban.nix @@ -20,18 +20,6 @@ in { failregex = "limiting requests, excess:.* by zone.*client: " '') ); - "fail2ban/filter.d/jellyfin.local".text = lib.mkIf config.services.jellyfin.enable ( - pkgs.lib.mkDefault (pkgs.lib.mkAfter '' - [Definition] - failregex = "^.*Authentication request for .* has been denied \\\(IP: \"\"\\\)\\\." - '') - ); - "fail2ban/filter.d/forgejo.local".text = lib.mkIf config.services.forgejo.enable ( - pkgs.lib.mkDefault (pkgs.lib.mkAfter '' - [Definition] - failregex = ".*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from " - '') - ); # "fail2ban/filter.d/hass.local".text = lib.mkIf config.services.home-assistant.enable ( # pkgs.lib.mkDefault (pkgs.lib.mkAfter '' # [INCLUDES] @@ -46,13 +34,6 @@ in { # datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S # '') # ); - "fail2ban/filter.d/immich.local".text = lib.mkIf config.services.immich.enable ( - pkgs.lib.mkDefault (pkgs.lib.mkAfter '' - [Definition] - failregex = immich-server.*Failed login attempt for user.+from ip address\s? - journalmatch = CONTAINER_TAG=immich-server - '') - ); }; services.fail2ban = { @@ -85,26 +66,6 @@ in { bantime = 600; maxretry = 5; }; - jellyfin-iptables.settings = lib.mkIf config.services.jellyfin.enable { - enabled = true; - filter = "jellyfin"; - action = ''iptables-multiport[name=HTTP, port="http,https"]''; - logpath = "${config.services.jellyfin.dataDir}/log/*.log"; - backend = "auto"; - findtime = 600; - bantime = 600; - maxretry = 5; - }; - forgejo-iptables.settings = lib.mkIf config.services.forgejo.enable { - enabled = true; - filter = "forgejo"; - action = ''iptables-multiport[name=HTTP, port="http,https"]''; - logpath = "${config.services.forgejo.settings.log.ROOT_PATH}/*.log"; - backend = "auto"; - findtime = 600; - bantime = 600; - maxretry = 5; - }; # home-assistant-iptables.settings = lib.mkIf config.services.home-assistant.enable { # enabled = true; # filter = "hass"; @@ -115,11 +76,6 @@ in { # bantime = 600; # maxretry = 5; # }; - immich-iptables.settings = lib.mkIf config.services.immich.enable { - enabled = true; - filter = "immich"; - backend = "systemd"; - }; # TODO; figure out if there is any fail2ban things we can do on searx # searx-iptables.settings = lib.mkIf config.services.searx.enable {}; }; diff --git a/modules/nixos-modules/server/forgejo.nix b/modules/nixos-modules/server/forgejo.nix index f0c1974..d19e0ae 100644 --- a/modules/nixos-modules/server/forgejo.nix +++ b/modules/nixos-modules/server/forgejo.nix @@ -1,6 +1,7 @@ { lib, config, + pkgs, ... }: let forgejoPort = 8081; @@ -67,6 +68,31 @@ in { config.services.forgejo.settings.server.SSH_LISTEN_PORT ]; } + (lib.mkIf config.services.fail2ban.enable { + environment.etc = { + "fail2ban/filter.d/forgejo.local".text = lib.mkIf config.services.forgejo.enable ( + pkgs.lib.mkDefault (pkgs.lib.mkAfter '' + [Definition] + failregex = ".*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from " + '') + ); + }; + + services.fail2ban = { + jails = { + forgejo-iptables.settings = lib.mkIf config.services.forgejo.enable { + enabled = true; + filter = "forgejo"; + action = ''iptables-multiport[name=HTTP, port="http,https"]''; + logpath = "${config.services.forgejo.settings.log.ROOT_PATH}/*.log"; + backend = "auto"; + findtime = 600; + bantime = 600; + maxretry = 5; + }; + }; + }; + }) (lib.mkIf config.host.impermanence.enable { assertions = [ { diff --git a/modules/nixos-modules/server/immich.nix b/modules/nixos-modules/server/immich.nix index 2756e5c..5160701 100644 --- a/modules/nixos-modules/server/immich.nix +++ b/modules/nixos-modules/server/immich.nix @@ -1,6 +1,7 @@ { lib, config, + pkgs, ... }: let mediaLocation = "/var/lib/immich"; @@ -59,6 +60,27 @@ in { ]; }; } + (lib.mkIf config.services.fail2ban.enable { + environment.etc = { + "fail2ban/filter.d/immich.local".text = lib.mkIf config.services.immich.enable ( + pkgs.lib.mkDefault (pkgs.lib.mkAfter '' + [Definition] + failregex = immich-server.*Failed login attempt for user.+from ip address\s? + journalmatch = CONTAINER_TAG=immich-server + '') + ); + }; + + services.fail2ban = { + jails = { + immich-iptables.settings = lib.mkIf config.services.immich.enable { + enabled = true; + filter = "immich"; + backend = "systemd"; + }; + }; + }; + }) (lib.mkIf config.host.impermanence.enable { assertions = [ { diff --git a/modules/nixos-modules/server/jellyfin.nix b/modules/nixos-modules/server/jellyfin.nix index 77d5744..79e0ffa 100644 --- a/modules/nixos-modules/server/jellyfin.nix +++ b/modules/nixos-modules/server/jellyfin.nix @@ -53,6 +53,31 @@ in { pkgs.jellyfin-ffmpeg ]; } + (lib.mkIf config.services.fail2ban.enable { + environment.etc = { + "fail2ban/filter.d/jellyfin.local".text = lib.mkIf config.services.jellyfin.enable ( + pkgs.lib.mkDefault (pkgs.lib.mkAfter '' + [Definition] + failregex = "^.*Authentication request for .* has been denied \\\(IP: \"\"\\\)\\\." + '') + ); + }; + + services.fail2ban = { + jails = { + jellyfin-iptables.settings = lib.mkIf config.services.jellyfin.enable { + enabled = true; + filter = "jellyfin"; + action = ''iptables-multiport[name=HTTP, port="http,https"]''; + logpath = "${config.services.jellyfin.dataDir}/log/*.log"; + backend = "auto"; + findtime = 600; + bantime = 600; + maxretry = 5; + }; + }; + }; + }) (lib.mkIf config.host.impermanence.enable { fileSystems."/persist/system/jellyfin".neededForBoot = true;