···
1
-
{ config, pkgs, ... }:
age.secrets.abuseipdb = {
···
52
-
action = "iptables-multiport[name=SSH, port='ssh']\nabuseipdb[abuseipdb_apikey='$(cat /run/agenix/abuseipdb)', abuseipdb_category='18,22']";
52
+
action = "iptables-multiport[name=SSH, port='ssh']\nabuseipdb-agenix[abuseipdb_category='18,22']";
# Caddy HTTP/HTTPS protection - monitor for repeated 4xx/5xx errors
···
65
-
action = "iptables-multiport[name=Caddy, port='http,https']\nabuseipdb[abuseipdb_apikey='$(cat /run/agenix/abuseipdb)', abuseipdb_category='21']";
65
+
action = "iptables-multiport[name=Caddy, port='http,https']\nabuseipdb-agenix[abuseipdb_category='21']";
# Rate-based protection - ban on excessive requests
···
78
-
action = "iptables-multiport[name=Caddy-RateLimit, port='http,https']\nabuseipdb[abuseipdb_apikey='$(cat /run/agenix/abuseipdb)', abuseipdb_category='21']";
78
+
action = "iptables-multiport[name=Caddy-RateLimit, port='http,https']\nabuseipdb-agenix[abuseipdb_category='21']";
83
-
# Custom filters and actions for Fail2Ban
86
-
abuseipdbAction = ''
83
+
# Custom filters for Fail2Ban
85
+
# Caddy HTTP error monitoring filter
86
+
"fail2ban/filter.d/caddy-http.conf".text = ''
88
+
failregex = ^<HOST> -.*" (?:400|401|403|404|405|429|500|502|503|504) .*$
92
-
# Report IP to AbuseIPDB using official fail2ban pattern
93
-
# The abuseipdb_apikey parameter is passed from the jail action call
94
-
actionban = lgm=$(printf '%%.1000s\n...' "<matches>"); curl -sSf "https://api.abuseipdb.com/api/v2/report" \
95
-
-H "Accept: application/json" \
96
-
-H "Key: <abuseipdb_apikey>" \
97
-
--data-urlencode "comment=$lgm" \
98
-
--data-urlencode "ip=<ip>" \
99
-
--data "categories=<abuseipdb_category>"
92
+
# Caddy rate limiting filter - detects repeated requests within short timeframe
93
+
"fail2ban/filter.d/caddy-ratelimit.conf".text = ''
95
+
failregex = ^<HOST> -.*" \d{3} .*$
101
-
# No action to unban - AbuseIPDB reports are permanent
99
+
# Custom abuseipdb action that reads API key from file
100
+
"fail2ban/action.d/abuseipdb-agenix.conf".text = ''
102
+
# Report IP to AbuseIPDB, reading API key from Agenix secret file
103
+
# The entire command is wrapped in /bin/sh -c to ensure shell expansion of $(cat ...)
104
+
actionban = /bin/sh -c 'lgm=$(printf "%%.1000s\n..." "<matches>"); curl -sSf "https://api.abuseipdb.com/api/v2/report" \
105
+
-H "Accept: application/json" \
106
+
-H "Key: $(cat /run/agenix/abuseipdb)" \
107
+
--data-urlencode "comment=$lgm" \
108
+
--data-urlencode "ip=<ip>" \
109
+
--data "categories=<abuseipdb_category>"'
105
-
# Default category for abuse report
106
-
abuseipdb_category = 18
107
-
# API key must be provided in jail action call
112
-
# Caddy HTTP error monitoring filter
113
-
"fail2ban/filter.d/caddy-http.conf".text = ''
115
-
failregex = ^<HOST> -.*" (?:400|401|403|404|405|429|500|502|503|504) .*$
119
-
# Caddy rate limiting filter - detects repeated requests within short timeframe
120
-
"fail2ban/filter.d/caddy-ratelimit.conf".text = ''
122
-
failregex = ^<HOST> -.*" \d{3} .*$
126
-
# AbuseIPDB action - must be copied into action.d directory
127
-
"fail2ban/action.d/abuseipdb.conf".text = abuseipdbAction;
117
+
abuseipdb_category = 18
# Ensure the log directory exists
systemd.tmpfiles.rules = [
sapphic.moe