From 56dc8655f81d2dae08727805257e9b373048efcf Mon Sep 17 00:00:00 2001
From: caandt <caandt@twoha.cc>
Date: Sun, 29 Dec 2024 23:06:18 -0500
Subject: [PATCH] fail2ban

---
 hosts/mikan/config.nix | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/hosts/mikan/config.nix b/hosts/mikan/config.nix
index bdf97c4..7adce3b 100644
--- a/hosts/mikan/config.nix
+++ b/hosts/mikan/config.nix
@@ -9,7 +9,23 @@
     };
   };
   networking.firewall.allowedTCPPorts = [2291 80 443];
-  services.fail2ban.enable = true;
+  services.fail2ban = {
+    enable = true;
+    jails = {
+      "nginx".settings = {
+        filter = "nginx-4";
+        logpath = "/var/log/nginx/access.log";
+        backend = "auto";
+        maxretry = 8;
+        bantime = 600;
+        findtime = 120;
+      };
+    };
+  };
+  environment.etc."fail2ban/filter.d/nginx-4.conf".text = ''
+    [Definition]
+    failregex = ^<HOST> - - \[.*\] \".*\" (4..).+$
+  '';
   services.qemuGuest.enable = true;
   services.forgejo = {
     enable = true;
@@ -44,7 +60,7 @@
       useACMEHost = "twoha.cc";
       forceSSL = true;
       serverName = "twoha.cc";
-      locations."/".return = 502;
+      locations."/".return = 401;
     };
     virtualHosts."u.twoha.cc" = {
       useACMEHost = "twoha.cc";
@@ -77,7 +93,7 @@
       useACMEHost = "twoha.cc";
       serverName = "*.twoha.cc";
       forceSSL = true;
-      locations."/".return = 502;
+      locations."/".return = 401;
     };
     virtualHosts."g.twoha.cc" = {
       forceSSL = true;