jan-leila/nix-config
1
0
Fork 1
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: jan-leila:1e5eed80c16c5f9049773bae0df4d495544585ea
Branches Tags
jan-leila:main
..
compare: jan-leila:92839b4603b4a820bac53062226f9abd854d1d2b
Branches Tags
jan-leila:main

No commits in common. "1e5eed80c16c5f9049773bae0df4d495544585ea" and "92839b4603b4a820bac53062226f9abd854d1d2b" have entirely different histories.
1e5eed80c1 ... 92839b4603

2 changed files with 24 additions and 51 deletions
Download patch file Download diff file Expand all files Collapse all files

24
modules/nixos-modules/server/fail2ban.nix
View file

@ -16,6 +16,20 @@ in {
failregex = "limiting requests, excess:.* by zone.*client: <HOST>" failregex = "limiting requests, excess:.* by zone.*client: <HOST>"
'') '')
); );
# "fail2ban/filter.d/hass.local".text = lib.mkIf config.services.home-assistant.enable (
# pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
# [INCLUDES]
# before = common.conf
# [Definition]
# failregex = ^%(__prefix_line)s.*Login attempt or request with invalid authentication from <HOST>.*$
# ignoreregex =
# [Init]
# datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S
# '')
# );
}; };
services.fail2ban = { services.fail2ban = {
@ -47,6 +61,16 @@ in {
bantime = 600; bantime = 600;
maxretry = 5; maxretry = 5;
}; };
home-assistant-iptables.settings = lib.mkIf config.services.home-assistant.enable {
enabled = true;
filter = "hass";
action = ''iptables-multiport[name=HTTP, port="http,https"]'';
logpath = "${config.services.home-assistant.configDir}/*.log";
backend = "auto";
findtime = 600;
bantime = 600;
maxretry = 5;
};
# TODO; figure out if there is any fail2ban things we can do on searx # TODO; figure out if there is any fail2ban things we can do on searx
# searx-iptables.settings = lib.mkIf config.services.searx.enable {}; # searx-iptables.settings = lib.mkIf config.services.searx.enable {};
}; };

51
modules/nixos-modules/server/home-assistant.nix
View file

@ -1,6 +1,5 @@
{ {
lib, lib,
pkgs,
config, config,
... ...
}: let }: let
@ -64,8 +63,6 @@ in {
services.home-assistant = { services.home-assistant = {
configDir = configDir; configDir = configDir;
extraComponents = [ extraComponents = [
"default_config"
"esphome"
"met" "met"
"radio_browser" "radio_browser"
"isal" "isal"
@ -78,20 +75,6 @@ in {
"openweathermap" "openweathermap"
"ollama" "ollama"
"mobile_app" "mobile_app"
"logbook"
"ssdp"
"usb"
"webhook"
"bluetooth"
"dhcp"
"energy"
"history"
"backup"
"assist_pipeline"
"conversation"
"sun"
"zeroconf"
"cpuspeed"
]; ];
config = { config = {
http = { http = {
@ -108,7 +91,6 @@ in {
recorder.db_url = "postgresql://@/${dbUser}"; recorder.db_url = "postgresql://@/${dbUser}";
"automation manual" = []; "automation manual" = [];
"automation ui" = "!include automations.yaml"; "automation ui" = "!include automations.yaml";
mobile_app = {};
}; };
extraPackages = python3Packages: extraPackages = python3Packages:
with python3Packages; [ with python3Packages; [
@ -173,39 +155,6 @@ in {
]; ];
}; };
}) })
(lib.mkIf config.services.fail2ban.enable {
environment.etc = {
"fail2ban/filter.d/hass.local".text = lib.mkIf config.services.home-assistant.enable (
pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
[INCLUDES]
before = common.conf
[Definition]
failregex = ^%(__prefix_line)s.*Login attempt or request with invalid authentication from <HOST>.*$
ignoreregex =
[Init]
datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S
'')
);
};
services.fail2ban = {
jails = {
home-assistant-iptables.settings = lib.mkIf config.services.home-assistant.enable {
enabled = true;
filter = "hass";
action = ''iptables-multiport[name=HTTP, port="http,https"]'';
logpath = "${config.services.home-assistant.configDir}/*.log";
backend = "auto";
findtime = 600;
bantime = 600;
maxretry = 5;
};
};
};
})
(lib.mkIf config.host.impermanence.enable { (lib.mkIf config.host.impermanence.enable {
assertions = [ assertions = [
{ {