nixos-config/profiles/servers/fail2ban.nix

{ config, ... }: {
  services.openssh.settings.LogLevel = "VERBOSE";

  services.fail2ban = {
    enable = true;
    maxretry = 3;
    ignoreIP = [
      "127.0.0.0/8"
      "10.0.0.0/8"
      "172.16.0.0/12"
      "192.168.0.0/16"
      # "8.8.8.8"
    ];
    jails = {
      vaultwarden = ''
        enabled = true
        port = 80,443,8081
        filter = vaultwarden
        banaction = %(banaction_allports)s
        logpath = /var/log/vaultwarden.log
        maxretry = 3
        bantime = 14400
        findtime = 14400
      '';
      vaultwarden-admin = ''
        enabled = true
        port = 80,443
        filter = vaultwarden-admin
        banaction = %(banaction_allports)s
        logpath = /var/log/vaultwarden.log
        maxretry = 3
        bantime = 14400
        findtime = 14400
      '';
    };
  };

  environment.etc."fail2ban/filter.d/vaultwarden.conf" = {
    enable = config.services.vaultwarden.enable;
    text = ''
      [INCLUDES]
      before = common.conf
      [Definition]
      failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
      ignoreregex =
    '';
  };

  environment.etc."fail2ban/filter.d/vaultwarden-admin.conf" = {
    enable = config.services.vaultwarden.enable;
    text = ''
      [INCLUDES]
      before = common.conf
      [Definition]
      failregex = ^.*Invalid admin token\. IP: <ADDR>.*$
      ignoreregex =
    '';
  };

  persist.state.directories = [ "/var/lib/fail2ban" ];
}
deadnix, cleanup 2024-02-08 23:21:10 +03:00			`{ config, ... }: {`
huge update to server containers 2023-03-23 01:58:10 +03:00			`services.openssh.settings.LogLevel = "VERBOSE";`
add some services 2022-02-21 02:25:13 +03:00
			`services.fail2ban = {`
			`enable = true;`
			`maxretry = 3;`
			`ignoreIP = [`
			`"127.0.0.0/8"`
			`"10.0.0.0/8"`
			`"172.16.0.0/12"`
			`"192.168.0.0/16"`
			`# "8.8.8.8"`
			`];`
			`jails = {`
			`vaultwarden = ''`
			`enabled = true`
			`port = 80,443,8081`
			`filter = vaultwarden`
			`banaction = %(banaction_allports)s`
			`logpath = /var/log/vaultwarden.log`
			`maxretry = 3`
			`bantime = 14400`
			`findtime = 14400`
			`'';`
			`vaultwarden-admin = ''`
			`enabled = true`
			`port = 80,443`
			`filter = vaultwarden-admin`
			`banaction = %(banaction_allports)s`
			`logpath = /var/log/vaultwarden.log`
			`maxretry = 3`
			`bantime = 14400`
			`findtime = 14400`
			`'';`
			`};`
			`};`

			`environment.etc."fail2ban/filter.d/vaultwarden.conf" = {`
			`enable = config.services.vaultwarden.enable;`
			`text = ''`
			`[INCLUDES]`
			`before = common.conf`
			`[Definition]`
			`failregex = ^.Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.$`
			`ignoreregex =`
			`'';`
			`};`

			`environment.etc."fail2ban/filter.d/vaultwarden-admin.conf" = {`
			`enable = config.services.vaultwarden.enable;`
			`text = ''`
			`[INCLUDES]`
			`before = common.conf`
			`[Definition]`
			`failregex = ^.Invalid admin token\. IP: <ADDR>.$`
			`ignoreregex =`
			`'';`
			`};`
persist module 2022-12-14 23:46:25 +03:00
			`persist.state.directories = [ "/var/lib/fail2ban" ];`
add some services 2022-02-21 02:25:13 +03:00			`}`