dan/ops-jrz1
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
ops-jrz1/modules/security/fail2ban.nix
Dan ab5aebb161 Phase 3: Extract and sanitize Matrix platform modules from ops-base 
Extracted modules:
- Matrix homeserver (matrix-continuwuity.nix)
- mautrix bridges (slack, whatsapp, gmessages)
- Security modules (fail2ban, ssh-hardening)
- Development services module
- Matrix secrets module

All modules sanitized to remove personal information:
- Domains: example.com, matrix.example.org
- IPs: 10.0.0.x, 203.0.113.10
- Paths: /home/user, /path/to/ops-base
- Emails: admin@example.com

Configuration:
- Updated flake.nix with sops-nix and nixpkgs-unstable
- Updated hosts/ops-jrz1.nix to import all extracted modules
- Added example files (secrets, minimal config)
- Generated flake.lock

Generated with Claude Code - https://claude.com/claude-code
2025-10-13 14:51:14 -07:00

61 lines
1.4 KiB
Nix
Raw Blame History

# Fail2ban configuration for protecting against brute force attacks
{ config, lib, ... }:
with lib;
{
options.security.fail2ban-enhanced = {
enable = mkEnableOption "enhanced fail2ban protection";
homeIP = mkOption {
type = types.nullOr types.str;
default = null;
example = "10.0.0.0/24";
description = "Home IP or network to whitelist";
};
bantime = mkOption {
type = types.str;
default = "1h";
description = "Ban duration";
};
maxretry = mkOption {
type = types.int;
default = 3;
description = "Maximum retry attempts";
};
};
config = mkIf config.security.fail2ban-enhanced.enable {
services.fail2ban = {
enable = true;
maxretry = config.security.fail2ban-enhanced.maxretry;
bantime = config.security.fail2ban-enhanced.bantime;
ignoreIP = [
"127.0.0.0/8"
"::1"
] ++ optional (config.security.fail2ban-enhanced.homeIP != null)
config.security.fail2ban-enhanced.homeIP;
jails = {
nginx-http-auth = ''
enabled = true
filter = nginx-http-auth
logpath = /var/log/nginx/access.log
maxretry = 5
bantime = 1h
findtime = 10m
'';
nginx-botsearch = ''
enabled = true
filter = nginx-botsearch
logpath = /var/log/nginx/error.log
maxretry = 2
bantime = 1h
'';
};
};
};
}
Reference in a new issue View git blame Copy permalink