tlaternet-server/configuration/services/fail2ban.nix

{pkgs, ...}: {
  services.fail2ban = {
    enable = true;
    extraPackages = [pkgs.ipset];
    banaction = "iptables-ipset-proto6-allports";
    bantime-increment.enable = true;

    jails = {
      nginx-botsearch = ''
        enabled = true
        logpath = /var/log/nginx/access.log
      '';
    };

    ignoreIP = [
      "127.0.0.0/8"
      "10.0.0.0/8"
      "172.16.0.0/12"
      "192.168.0.0/16"
    ];
  };

  # Allow metrics services to connect to the socket as well
  users.groups.fail2ban = {};
  systemd.services.fail2ban.serviceConfig = {
    RestrictAddressFamilies = [
      "AF_UNIX" # AF_INET and AF_INET6 are added by the generic config
    ];

    ExecStartPost =
      "+"
      + (pkgs.writeShellScript "fail2ban-post-start" ''
        while ! [ -S /var/run/fail2ban/fail2ban.sock ]; do
            sleep 1
        done

        while ! ${pkgs.netcat}/bin/nc -zU /var/run/fail2ban/fail2ban.sock; do
            sleep 1
        done

        ${pkgs.coreutils}/bin/chown root:fail2ban /var/run/fail2ban /var/run/fail2ban/fail2ban.sock
        ${pkgs.coreutils}/bin/chmod 660 /var/run/fail2ban/fail2ban.sock
        ${pkgs.coreutils}/bin/chmod 710 /var/run/fail2ban
      '');
  };
}
WIP: fail2ban: Add metrics 2023-10-02 21:54:21 +01:00			`{pkgs, ...}: {`
			`services.fail2ban = {`
			`enable = true;`
			`extraPackages = [pkgs.ipset];`
			`banaction = "iptables-ipset-proto6-allports";`
			`bantime-increment.enable = true;`

			`jails = {`
			`nginx-botsearch = ''`
			`enabled = true`
			`logpath = /var/log/nginx/access.log`
			`'';`
			`};`

			`ignoreIP = [`
			`"127.0.0.0/8"`
			`"10.0.0.0/8"`
			`"172.16.0.0/12"`
			`"192.168.0.0/16"`
			`];`
			`};`

			`# Allow metrics services to connect to the socket as well`
			`users.groups.fail2ban = {};`
			`systemd.services.fail2ban.serviceConfig = {`
			`RestrictAddressFamilies = [`
			`"AF_UNIX" # AF_INET and AF_INET6 are added by the generic config`
			`];`

			`ExecStartPost =`
			`"+"`
			`+ (pkgs.writeShellScript "fail2ban-post-start" ''`
			`while ! [ -S /var/run/fail2ban/fail2ban.sock ]; do`
			`sleep 1`
			`done`

			`while ! ${pkgs.netcat}/bin/nc -zU /var/run/fail2ban/fail2ban.sock; do`
			`sleep 1`
			`done`

			`${pkgs.coreutils}/bin/chown root:fail2ban /var/run/fail2ban /var/run/fail2ban/fail2ban.sock`
			`${pkgs.coreutils}/bin/chmod 660 /var/run/fail2ban/fail2ban.sock`
			`${pkgs.coreutils}/bin/chmod 710 /var/run/fail2ban`
			`'');`
			`};`
			`}`