diff --git a/modules/nixos-modules/server/fail2ban.nix b/modules/nixos-modules/server/fail2ban.nix index d19aeeb..1851e33 100644 --- a/modules/nixos-modules/server/fail2ban.nix +++ b/modules/nixos-modules/server/fail2ban.nix @@ -16,6 +16,20 @@ in { failregex = "limiting requests, excess:.* by zone.*client: " '') ); + # "fail2ban/filter.d/hass.local".text = lib.mkIf config.services.home-assistant.enable ( + # pkgs.lib.mkDefault (pkgs.lib.mkAfter '' + # [INCLUDES] + # before = common.conf + + # [Definition] + # failregex = ^%(__prefix_line)s.*Login attempt or request with invalid authentication from .*$ + + # ignoreregex = + + # [Init] + # datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S + # '') + # ); }; services.fail2ban = { @@ -47,6 +61,16 @@ in { bantime = 600; maxretry = 5; }; + home-assistant-iptables.settings = lib.mkIf config.services.home-assistant.enable { + enabled = true; + filter = "hass"; + action = ''iptables-multiport[name=HTTP, port="http,https"]''; + logpath = "${config.services.home-assistant.configDir}/*.log"; + backend = "auto"; + findtime = 600; + bantime = 600; + maxretry = 5; + }; # TODO; figure out if there is any fail2ban things we can do on searx # searx-iptables.settings = lib.mkIf config.services.searx.enable {}; }; diff --git a/modules/nixos-modules/server/home-assistant.nix b/modules/nixos-modules/server/home-assistant.nix index f91e02e..07dcc03 100644 --- a/modules/nixos-modules/server/home-assistant.nix +++ b/modules/nixos-modules/server/home-assistant.nix @@ -1,6 +1,5 @@ { lib, - pkgs, config, ... }: let @@ -64,8 +63,6 @@ in { services.home-assistant = { configDir = configDir; extraComponents = [ - "default_config" - "esphome" "met" "radio_browser" "isal" @@ -78,20 +75,6 @@ in { "openweathermap" "ollama" "mobile_app" - "logbook" - "ssdp" - "usb" - "webhook" - "bluetooth" - "dhcp" - "energy" - "history" - "backup" - "assist_pipeline" - "conversation" - "sun" - "zeroconf" - "cpuspeed" ]; config = { http = { @@ -108,7 +91,6 @@ in { recorder.db_url = "postgresql://@/${dbUser}"; "automation manual" = []; "automation ui" = "!include automations.yaml"; - mobile_app = {}; }; extraPackages = python3Packages: with python3Packages; [ @@ -173,39 +155,6 @@ in { ]; }; }) - (lib.mkIf config.services.fail2ban.enable { - environment.etc = { - "fail2ban/filter.d/hass.local".text = lib.mkIf config.services.home-assistant.enable ( - pkgs.lib.mkDefault (pkgs.lib.mkAfter '' - [INCLUDES] - before = common.conf - - [Definition] - failregex = ^%(__prefix_line)s.*Login attempt or request with invalid authentication from .*$ - - ignoreregex = - - [Init] - datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S - '') - ); - }; - - services.fail2ban = { - jails = { - home-assistant-iptables.settings = lib.mkIf config.services.home-assistant.enable { - enabled = true; - filter = "hass"; - action = ''iptables-multiport[name=HTTP, port="http,https"]''; - logpath = "${config.services.home-assistant.configDir}/*.log"; - backend = "auto"; - findtime = 600; - bantime = 600; - maxretry = 5; - }; - }; - }; - }) (lib.mkIf config.host.impermanence.enable { assertions = [ {