{ pkgs, ... }: { services.fail2ban = { enable = true; extraPackages = [ pkgs.ipset ]; banaction = "iptables-ipset-proto6-allports"; bantime-increment.enable = true; jails = { nginx-botsearch = '' enabled = true logpath = /var/log/nginx/access.log ''; }; ignoreIP = [ "127.0.0.0/8" "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" ]; }; # Allow metrics services to connect to the socket as well users.groups.fail2ban = { }; systemd.services.fail2ban.serviceConfig = { ExecStartPost = "+" + (pkgs.writeShellScript "fail2ban-post-start" '' while ! [ -S /var/run/fail2ban/fail2ban.sock ]; do sleep 1 done while ! ${pkgs.netcat}/bin/nc -zU /var/run/fail2ban/fail2ban.sock; do sleep 1 done ${pkgs.coreutils}/bin/chown root:fail2ban /var/run/fail2ban /var/run/fail2ban/fail2ban.sock ${pkgs.coreutils}/bin/chmod 660 /var/run/fail2ban/fail2ban.sock ${pkgs.coreutils}/bin/chmod 710 /var/run/fail2ban ''); }; }