From 1f43626404de472599c75c9fe58bcdd871202f30 Mon Sep 17 00:00:00 2001 From: Sakooooo <78461130+Sakooooo@users.noreply.github.com> Date: Wed, 1 Jan 2025 15:20:35 +0400 Subject: [PATCH] its beginning to look alot like christmas --- modules/server/default.nix | 9 ++++++- modules/server/fail2ban.nix | 40 +++++++++++++++++++++++++++++ modules/server/services/forgejo.nix | 2 +- 3 files changed, 49 insertions(+), 2 deletions(-) create mode 100644 modules/server/fail2ban.nix diff --git a/modules/server/default.nix b/modules/server/default.nix index 9dfed1be..3c252c8c 100644 --- a/modules/server/default.nix +++ b/modules/server/default.nix @@ -2,7 +2,14 @@ with lib; let cfg = config.void.server; in { - imports = [ ./dns ./nginx.nix ./services ./postgresql.nix ./redis.nix ]; + imports = [ + ./dns + ./nginx.nix + ./services + ./postgresql.nix + ./redis.nix + ./fail2ban.nix + ]; options.void.server = { isServer = mkEnableOption false; }; diff --git a/modules/server/fail2ban.nix b/modules/server/fail2ban.nix new file mode 100644 index 00000000..050bd56c --- /dev/null +++ b/modules/server/fail2ban.nix @@ -0,0 +1,40 @@ +{ config, lib, ... }: +with lib; +let cfg = config.void.server.fail2ban; +in { + options.void.server.fail2ban = { enable = mkEnableOption false; }; + + config = mkIf cfg.enable { + # again thank you notashelf (again) + services.fail2ban = { + enable = true; + ignoreIP = [ + "127.0.0.1/8" # localhost + "100.64.0.0/16" + "192.168.0.0/16" + ]; + banaction = "iptables-multiport"; + banaction-allports = lib.mkDefault "iptables-allport"; + + maxretry = 7; + bantime = "10m"; + bantime-increment = { + enable = true; + rndtime = "12m"; + overalljails = true; + multipliers = "4 8 16 32 64 128 256 512 1024 2048"; + maxtime = "10000h"; # ill see you when nix eval times are fast + }; + daemonSettings = { + Definition = { + loglevel = "INFO"; + logtarget = "/var/log/fail2ban/fail2ban.log"; + socket = "/run/fail2ban/fail2ban.sock"; + pidfile = "/run/fail2ban/fail2ban.pid"; + dbfile = "/var/lib/fail2ban/fail2ban.sqlite3"; + dbpurageage = "1d"; + }; + }; + }; + }; +} diff --git a/modules/server/services/forgejo.nix b/modules/server/services/forgejo.nix index 990e3656..6edc5f43 100644 --- a/modules/server/services/forgejo.nix +++ b/modules/server/services/forgejo.nix @@ -63,7 +63,7 @@ in { services.fail2ban.jails.forgejo = { settings = { filter = "forgejo"; - action = "nftables-multiport"; + action = "iptables-multiport"; mode = "aggressive"; maxretry = 5; findtime = 3600;