nix-config/modules/nixos-modules/server/fail2ban.nix

{
  lib,
  pkgs,
  config,
  ...
}: let
  dataFolder = "/var/lib/fail2ban";
  dataFile = "fail2ban.sqlite3";
in {
  options.host.fail2ban = {
    enable = lib.mkEnableOption "should fail 2 ban be enabled on this server";
  };

  config = lib.mkIf config.host.fail2ban.enable (lib.mkMerge [
    {
      environment.etc = {
        "fail2ban/filter.d/nginx.local".text = lib.mkIf config.services.nginx.enable (
          pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
            [Definition]
            failregex = "limiting requests, excess:.* by zone.*client: <HOST>"
          '')
        );
        # "fail2ban/filter.d/hass.local".text = lib.mkIf config.services.home-assistant.enable (
        #   pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
        #     [INCLUDES]
        #     before = common.conf

        #     [Definition]
        #     failregex = ^%(__prefix_line)s.*Login attempt or request with invalid authentication from <HOST>.*$

        #     ignoreregex =

        #     [Init]
        #     datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S
        #   '')
        # );
      };

      services.fail2ban = {
        enable = true;
        maxretry = 5;
        ignoreIP = [
          # Whitelist local networks
          "10.0.0.0/8"
          "172.16.0.0/12"
          "192.168.0.0/16"

          # tail scale tailnet
          "100.64.0.0/10"
          "fd7a:115c:a1e0::/48"
        ];
        bantime = "24h"; # Ban IPs for one day on the first ban
        bantime-increment = {
          enable = true; # Enable increment of bantime after each violation
          formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
          maxtime = "168h"; # Do not ban for more than 1 week
          overalljails = true; # Calculate the ban time based on all the violations
        };
        jails = {
          nginx-iptables.settings = lib.mkIf config.services.nginx.enable {
            enabled = true;
            filter = "nginx";
            action = ''iptables-multiport[name=HTTP, port="http,https"]'';
            backend = "auto";
            findtime = 600;
            bantime = 600;
            maxretry = 5;
          };
          # home-assistant-iptables.settings = lib.mkIf config.services.home-assistant.enable {
          #   enabled = true;
          #   filter = "hass";
          #   action = ''iptables-multiport[name=HTTP, port="http,https"]'';
          #   logpath = "${config.services.home-assistant.configDir}/*.log";
          #   backend = "auto";
          #   findtime = 600;
          #   bantime = 600;
          #   maxretry = 5;
          # };
          # TODO; figure out if there is any fail2ban things we can do on searx
          # searx-iptables.settings = lib.mkIf config.services.searx.enable {};
        };
      };
    }
    (lib.mkIf config.host.impermanence.enable {
      assertions = [
        {
          assertion = config.services.fail2ban.daemonSettings.Definition.dbfile == "${dataFolder}/${dataFile}";
          message = "fail2ban data file does not match persistence";
        }
      ];

      environment.persistence."/persist/system/root" = {
        enable = true;
        hideMounts = true;
        directories = [
          {
            directory = dataFolder;
            user = "fail2ban";
            group = "fail2ban";
          }
        ];
      };
    })
  ]);
}