dachxy/nix-conf
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

security: add fail2ban

Browse source
This commit is contained in:
danny 2025-09-26 20:47:19 +08:00
parent 8de4592eb5
commit 20ee47caa2
4 changed files with 71 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
system/dev/dn-server/default.nix
View file

@ -18,6 +18,7 @@ in
intel-bus-id = "PCI:0:2:0"; intel-bus-id = "PCI:0:2:0";
nvidia-bus-id = "PCI:1:0:0"; nvidia-bus-id = "PCI:1:0:0";
}) })
./security.nix
./sops-conf.nix ./sops-conf.nix
./boot.nix ./boot.nix
./hardware-configuration.nix ./hardware-configuration.nix
@ -58,6 +59,7 @@ in
dataBackupPath = "/mnt/backup_dn"; dataBackupPath = "/mnt/backup_dn";
dbBackupPath = "/mnt/backup_dn"; dbBackupPath = "/mnt/backup_dn";
adminpassFile = config.sops.secrets."nextcloud/adminPassword".path; adminpassFile = config.sops.secrets."nextcloud/adminPassword".path;
trusted = [ "nextcloud.daccc.info" ];
}) })
(import ../../modules/vaultwarden.nix { (import ../../modules/vaultwarden.nix {
domain = "bitwarden.net.dn"; domain = "bitwarden.net.dn";

13
system/dev/dn-server/security.nix Normal file
View file

@ -0,0 +1,13 @@
{
...
}:
{
imports = [
(import ../../modules/fail2ban.nix {
extraAllowList = [
"10.0.0.0/24"
"122.117.215.55"
];
})
];
}

55
system/modules/fail2ban.nix Normal file
View file

@ -0,0 +1,55 @@
{
extreAllowList ? [ ],
...
}:
{
services.fail2ban = {
enable = true;
maxretry = 5;
ignoreIP = [
"192.168.0.0/16"
]
++ extreAllowList;
bantime = "24h";
bantime-increment = {
enable = true;
multipliers = "8 64";
maxtime = "1y";
overalljails = true;
};
jails =
let
nginxLogPath = "/var/log/nginx/error.log*";
in
{
sshd.settings = {
logPath = "";
filter = "sshd";
action = ''nftables-multiport[name="sshd", port="ssh,30072"]'';
backend = "systemd";
findtime = 600;
bantime = 600;
maxretry = 5;
};
nginx-error-common.settings = {
logPath = nginxLogPath;
filter = "nginx-error-common";
action = ''nftables-multiport[name=HTTP, port="http,https"]'';
backend = "auto";
findtime = 600;
bantime = 600;
maxretry = 5;
};
nginx-forbidden.settings = {
logPath = nginxLogPath;
filter = "nginx-forbidden";
action = ''nftables-multiport[name=HTTP, port="http,https"]'';
backend = "auto";
findtime = 600;
bantime = 600;
maxretry = 5;
};
};
};
}

2
system/modules/mail-server/server.nix
View file

@ -292,7 +292,7 @@ in
log_path = /dev/stderr log_path = /dev/stderr
log_debug = (category=auth-client) OR (event=auth_client_passdb_lookup_started) log_debug = (category=auth-client) OR (event=auth_client_passdb_lookup_started)
auth_mechanisms = plain login oauthbearer auth_mechanisms = plain login
ssl = required ssl = required
service auth { service auth {