74 lines
2.2 KiB
Nix
74 lines
2.2 KiB
Nix
{
|
|
lib,
|
|
pkgs,
|
|
config,
|
|
...
|
|
}: let
|
|
dataFolder = "/var/lib/fail2ban";
|
|
dataFile = "fail2ban.sqlite3";
|
|
in {
|
|
config = lib.mkIf config.services.fail2ban.enable (lib.mkMerge [
|
|
{
|
|
environment.etc = {
|
|
"fail2ban/filter.d/nginx.local".text = lib.mkIf config.services.nginx.enable (
|
|
pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
|
|
[Definition]
|
|
failregex = "limiting requests, excess:.* by zone.*client: <HOST>"
|
|
'')
|
|
);
|
|
};
|
|
|
|
services.fail2ban = {
|
|
maxretry = 5;
|
|
ignoreIP = [
|
|
# Whitelist local networks
|
|
"10.0.0.0/8"
|
|
"172.16.0.0/12"
|
|
"192.168.0.0/16"
|
|
|
|
# tail scale tailnet
|
|
"100.64.0.0/10"
|
|
"fd7a:115c:a1e0::/48"
|
|
];
|
|
bantime = "24h"; # Ban IPs for one day on the first ban
|
|
bantime-increment = {
|
|
enable = true; # Enable increment of bantime after each violation
|
|
formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
|
|
maxtime = "168h"; # Do not ban for more than 1 week
|
|
overalljails = true; # Calculate the ban time based on all the violations
|
|
};
|
|
jails = {
|
|
nginx-iptables.settings = lib.mkIf config.services.nginx.enable {
|
|
enabled = true;
|
|
filter = "nginx";
|
|
action = ''iptables-multiport[name=HTTP, port="http,https"]'';
|
|
backend = "auto";
|
|
findtime = 600;
|
|
bantime = 600;
|
|
maxretry = 5;
|
|
};
|
|
# TODO; figure out if there is any fail2ban things we can do on searx
|
|
# searx-iptables.settings = lib.mkIf config.services.searx.enable {};
|
|
};
|
|
};
|
|
}
|
|
(lib.mkIf config.host.impermanence.enable {
|
|
assertions = [
|
|
{
|
|
assertion = config.services.fail2ban.daemonSettings.Definition.dbfile == "${dataFolder}/${dataFile}";
|
|
message = "fail2ban data file does not match persistence";
|
|
}
|
|
];
|
|
|
|
environment.persistence."/persist/system/root" = {
|
|
directories = [
|
|
{
|
|
directory = dataFolder;
|
|
user = "fail2ban";
|
|
group = "fail2ban";
|
|
}
|
|
];
|
|
};
|
|
})
|
|
]);
|
|
}
|