nix/machines
1
0
Fork 0
Code Issues Releases Packages Activity Actions

Tweak nginx fail2ban
Some checks failed
/ rust-packages (push) Successful in 38s
Details
/ terraform-providers (push) Successful in 59s
Details
/ check (push) Successful in 2m0s
Details
/ dev-shell (push) Successful in 31s
Details
/ systems (push) Has been cancelled
Details

Browse source
This commit is contained in:
Kaare Hoff Skovgaard 2025-07-20 22:55:21 +02:00
parent 277f7dbb57
commit 95414d4380
Signed by: khs
GPG key ID: C7D890804F01E9F0
5 changed files with 85 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

1
nix/modules/nixos/infrastructure/vault-loki-sender/loki_endpoint.alloy
View file

@ -10,6 +10,7 @@ declare "loki_send" {
cert_file = sys.env("LOKI_CLIENT_CERT") cert_file = sys.env("LOKI_CLIENT_CERT")
key_file = sys.env("LOKI_CLIENT_KEY") key_file = sys.env("LOKI_CLIENT_KEY")
} }
batch_wait = "1m"
} }
external_labels = { external_labels = {
job = argument.job.value, job = argument.job.value,

2
nix/modules/nixos/infrastructure/vault-prometheus-sender/prometheus.alloy
View file

@ -50,7 +50,7 @@ prometheus.exporter.unix "integrations_node_exporter" {
// Define how to scrape metrics from the node_exporter // Define how to scrape metrics from the node_exporter
prometheus.scrape "integrations_node_exporter" { prometheus.scrape "integrations_node_exporter" {
scrape_interval = "15s" scrape_interval = "1m"
// Use the targets with labels from the discovery.relabel component // Use the targets with labels from the discovery.relabel component
targets = discovery.relabel.integrations_node_exporter.output targets = discovery.relabel.integrations_node_exporter.output
// Send the scraped metrics to the relabeling component // Send the scraped metrics to the relabeling component

49
nix/modules/nixos/services/fail2ban/default.nix Normal file
View file

@ -0,0 +1,49 @@
{ config, lib, ... }:
let
cfg = config.khscodes.services.fail2ban;
in
{
options.khscodes.services.fail2ban = {
enable = lib.mkEnableOption "Enables fail2ban service for the instance";
actions = lib.mkOption {
type = lib.types.listOf lib.types.path;
description = "Extra actions to add to fail2ban";
default = [ ];
};
filters = lib.mkOption {
type = lib.types.listOf lib.types.path;
description = "Extra filters to add to fail2ban";
default = [ ];
};
};
config = lib.mkIf cfg.enable {
environment.etc =
(lib.listToAttrs (
lib.lists.map (a: {
name = "fail2ban/action.d/${builtins.baseNameOf a}";
value = {
source = a;
};
}) cfg.actions
))
// (lib.listToAttrs (
lib.lists.map (f: {
name = "fail2ban/filter.d/${builtins.baseNameOf f}";
value = {
source = f;
};
}) cfg.filters
));
services.fail2ban = {
enable = true;
bantime = "1h";
bantime-increment = {
enable = true;
multipliers = "1 2 4 8 16 32 64 128 256";
maxtime = "168h"; # Do not ban for more than 1 week
overalljails = true;
};
};
};
}

34
nix/modules/nixos/services/nginx/default.nix
View file

@ -128,6 +128,34 @@ in
message = "Cannot use `config.khscodes.services.nginx.virtualHosts.<name>.acme = {}` without setting config.khscodes.security.acme.dns01Enabled"; message = "Cannot use `config.khscodes.services.nginx.virtualHosts.<name>.acme = {}` without setting config.khscodes.security.acme.dns01Enabled";
} }
]; ];
services.fail2ban.jails = {
nginx-botsearch = {
settings = {
# Block an IP address if it accesses a non-existent
# home directory more than 5 times in 10 minutes,
# since that indicates that it's scanning.
filter = "nginx-botsearch";
action = ''${config.services.fail2ban.banaction}[name=HTTP, port="http,https"]'';
logpath = "/var/log/nginx/access.log";
backend = "auto";
findtime = 600;
maxretry = 5;
};
};
nginx-bad-request = {
settings = {
# Block an IP address if it accesses a non-existent
# home directory more than 5 times in 10 minutes,
# since that indicates that it's scanning.
filter = "nginx-bad-request";
action = ''${config.services.fail2ban.banaction}[name=HTTP, port="http,https"]'';
logpath = "/var/log/nginx/access.log";
backend = "auto";
findtime = 600;
maxretry = 1;
};
};
};
khscodes.networking.aliases = lib.attrsets.attrNames cfg.virtualHosts; khscodes.networking.aliases = lib.attrsets.attrNames cfg.virtualHosts;
khscodes.security.acme.enable = true; khscodes.security.acme.enable = true;
security.dhparams.enable = lib.mkIf (cfg.sslConfiguration == "intermediate") { security.dhparams.enable = lib.mkIf (cfg.sslConfiguration == "intermediate") {
@ -138,7 +166,11 @@ in
}; };
services.nginx = { services.nginx = {
enable = true; enable = true;
package = lib.mkDefault pkgs.nginxStable; package = lib.mkDefault (
pkgs.nginxStable.overrideAttrs (oldAttrs: {
nativeBuildInputs = oldAttrs.nativeBuildInputs ++ [ pkgs.pkg-config ];
})
);
statusPage = config.khscodes.infrastructure.vault-prometheus-sender.enable; statusPage = config.khscodes.infrastructure.vault-prometheus-sender.enable;
sslDhparam = lib.mkIf ( sslDhparam = lib.mkIf (
cfg.sslConfiguration == "intermediate" cfg.sslConfiguration == "intermediate"

1
nix/profiles/nixos/khs-server.nix
View file

@ -5,6 +5,7 @@
environment.systemPackages = [ pkgs.khscodes.bao-import-secret ]; environment.systemPackages = [ pkgs.khscodes.bao-import-secret ];
khscodes = { khscodes = {
services.openssh.enable = true; services.openssh.enable = true;
services.fail2ban.enable = true;
machine.type = "server"; machine.type = "server";
os.auto-update.enable = true; os.auto-update.enable = true;
infrastructure = { infrastructure = {