sapphic.moe / flake
❄️ Dotfiles for our NixOS system configuration.
fork atom

chore(services:fail2ban): test change

Chloe 2caa68f9 78818d39

options
unified split
Changed files
+44 -38
services
fail2ban
default.nix
+44 -38
services/fail2ban/default.nix 
···

       
80

       
80

       
 

       
    };


     

       
81

       
81

       
 

       
  };


     

       
82

       
82

       
 

       



     

       
83

       

       
-

       
  # Custom filters for Fail2Ban


     

       
84

       

       
-

       
  environment.etc = {


     

       
85

       

       
-

       
    # Caddy HTTP error monitoring filter


     

       
86

       

       
-

       
    "fail2ban/filter.d/caddy-http.conf".text = ''


     

       
87

       

       
-

       
      [Definition]


     

       
88

       

       
-

       
      failregex = ^<HOST> -.*" (?:400|401|403|404|405|429|500|502|503|504) .*$


     

       
89

       

       
-

       
      ignoreregex =


     

       
90

       

       
-

       
    '';


     

       

       
83

       
+

       
  # Custom filters and actions for Fail2Ban


     

       

       
84

       
+

       
  environment.etc =


     

       

       
85

       
+

       
    let


     

       

       
86

       
+

       
      abuseipdbAction = pkgs.writeText "abuseipdb.conf" ''


     

       

       
87

       
+

       
        [Definition]


     

       

       
88

       
+

       
        actionstart =


     

       

       
89

       
+

       
        actionstop =


     

       

       
90

       
+

       
        actioncheck =


     

       
91

       
91

       
 

       



     

       
92

       

       
-

       
    # Caddy rate limiting filter - detects repeated requests within short timeframe


     

       
93

       

       
-

       
    "fail2ban/filter.d/caddy-ratelimit.conf".text = ''


     

       
94

       

       
-

       
      [Definition]


     

       
95

       

       
-

       
      failregex = ^<HOST> -.*" \d{3} .*$


     

       
96

       

       
-

       
      ignoreregex =


     

       
97

       

       
-

       
    '';


     

       

       
92

       
+

       
        # Report IP to AbuseIPDB using the API key from the secret file


     

       

       
93

       
+

       
        actionban = /bin/sh -c 'curl -s -X POST https://api.abuseipdb.com/api/v2/report \


     

       

       
94

       
+

       
          -H "Key: $(cat <abuseipdb_apikey>)" \


     

       

       
95

       
+

       
          -H "Accept: application/json" \


     

       

       
96

       
+

       
          -d "ip=<ip>&category=<abuseipdb_category>&comment=<abuseipdb_comment>&timestamp=$(date +%%s)" \


     

       

       
97

       
+

       
          >> /var/log/fail2ban-abuseipdb.log 2>&1'


     

       
98

       
98

       
 

       



     

       
99

       

       
-

       
    # AbuseIPDB action for reporting IPs


     

       
100

       

       
-

       
    # The API key is passed via the abuseipdb_apikey parameter which should be


     

       
101

       

       
-

       
    # set to the path of the decrypted secret file (e.g., /run/agenix/abuseipdb)


     

       
102

       

       
-

       
    "fail2ban/action.d/abuseipdb.conf".text = ''


     

       
103

       

       
-

       
      [Definition]


     

       
104

       

       
-

       
      actionstart =


     

       
105

       

       
-

       
      actionstop =


     

       
106

       

       
-

       
      actioncheck =


     

       

       
99

       
+

       
        # No action to unban - AbuseIPDB reports are permanent


     

       

       
100

       
+

       
        actionunban =


     

       
107

       
101

       
 

       



     

       
108

       

       
-

       
      # Report IP to AbuseIPDB


     

       
109

       

       
-

       
      # Reads the API key from the file specified in the abuseipdb_apikey parameter


     

       
110

       

       
-

       
      actionban = /run/current-system/sw/bin/curl -s -X POST https://api.abuseipdb.com/api/v2/report \


     

       
111

       

       
-

       
        -H "Key: $(cat <abuseipdb_apikey>)" \


     

       
112

       

       
-

       
        -H "Accept: application/json" \


     

       
113

       

       
-

       
        -d "ip=<ip>&category=<abuseipdb_category>&comment=<abuseipdb_comment>" \


     

       
114

       

       
-

       
        -o /dev/null


     

       

       
102

       
+

       
        [Init]


     

       

       
103

       
+

       
        # Default path - will be overridden by jail configuration


     

       

       
104

       
+

       
        abuseipdb_apikey = /run/agenix/abuseipdb


     

       

       
105

       
+

       
        abuseipdb_category = 18


     

       

       
106

       
+

       
        abuseipdb_comment = Fail2Ban Report


     

       

       
107

       
+

       
      '';


     

       

       
108

       
+

       
    in


     

       

       
109

       
+

       
    {


     

       

       
110

       
+

       
      # Caddy HTTP error monitoring filter


     

       

       
111

       
+

       
      "fail2ban/filter.d/caddy-http.conf".text = ''


     

       

       
112

       
+

       
        [Definition]


     

       

       
113

       
+

       
        failregex = ^<HOST> -.*" (?:400|401|403|404|405|429|500|502|503|504) .*$


     

       

       
114

       
+

       
        ignoreregex =


     

       

       
115

       
+

       
      '';


     

       

       
116

       
+

       



     

       

       
117

       
+

       
      # Caddy rate limiting filter - detects repeated requests within short timeframe


     

       

       
118

       
+

       
      "fail2ban/filter.d/caddy-ratelimit.conf".text = ''


     

       

       
119

       
+

       
        [Definition]


     

       

       
120

       
+

       
        failregex = ^<HOST> -.*" \d{3} .*$


     

       

       
121

       
+

       
        ignoreregex =


     

       

       
122

       
+

       
      '';


     

       
115

       
123

       
 

       



     

       
116

       

       
-

       
      # No action to unban - AbuseIPDB reports are permanent


     

       
117

       

       
-

       
      actionunban =


     

       

       
124

       
+

       
      # AbuseIPDB action - must be copied into action.d directory


     

       

       
125

       
+

       
      "fail2ban/action.d/abuseipdb.conf".source = abuseipdbAction;


     

       

       
126

       
+

       
    };


     

       
118

       
127

       
 

       



     

       
119

       

       
-

       
      [Init]


     

       
120

       

       
-

       
      # Default path - will be overridden by jail configuration


     

       
121

       

       
-

       
      abuseipdb_apikey = /run/agenix/abuseipdb


     

       
122

       

       
-

       
      abuseipdb_category = 18


     

       
123

       

       
-

       
      abuseipdb_comment = Fail2Ban Report


     

       
124

       

       
-

       
    '';


     

       
125

       

       
-

       
  };


     

       

       
128

       
+

       
  # Ensure the log directory exists


     

       

       
129

       
+

       
  systemd.tmpfiles.rules = [


     

       

       
130

       
+

       
    "d /var/log/fail2ban 0755 root root -"


     

       

       
131

       
+

       
  ];


     

       
126

       
132

       
 

       
}