initial commit

hosts/hermes/fail2ban.nix

@@ -0,0 +1,106 @@
+{pkgs, ...}: {
+  services.fail2ban = {
+    enable = true;
+    jails = {
+      sshd.settings = {enabled = false;};
+      radarr.settings = {
+        enabled = true;
+        filter = "arr";
+        action = ''
+          iptables-allports
+        '';
+        logpath = "/var/lib/radarr/.config/Radarr/logs/radarr.txt";
+        backend = "auto";
+        maxretry = 4;
+        bantime = "52w";
+        findtime = "52w";
+        chain = "FORWARD";
+      };
+      sonarr.settings = {
+        enabled = true;
+        filter = "arr";
+        action = ''
+          iptables-allports
+        '';
+        logpath = "/var/lib/sonarr/.config/NzbDrone/logs/sonarr.txt";
+        backend = "auto";
+        maxretry = 4;
+        bantime = "52w";
+        findtime = "52w";
+        chain = "FORWARD";
+      };
+
+      prowlarr.settings = {
+        enabled = true;
+        filter = "arr";
+        action = ''
+          iptables-allports
+        '';
+        logpath = "/var/lib/prowlarr/logs/prowlarr.txt";
+        backend = "auto";
+        maxretry = 4;
+        bantime = "52w";
+        findtime = "52w";
+        chain = "FORWARD";
+      };
+
+      jellyseerr.settings = {
+        enabled = true;
+        filter = "jellyseerr";
+        action = ''
+          iptables-allports
+        '';
+        logpath = "/var/lib/jellyseerr/logs/overseer*.log";
+        backend = "auto";
+        maxretry = 4;
+        bantime = "52w";
+        findtime = "52w";
+        chain = "FORWARD";
+      };
+
+      jellyfin.settings = {
+        enabled = true;
+        filter = "jellyfin";
+        action = ''
+          iptables-allports
+        '';
+        logpath = "/var/lib/jellyfin/log/log*.log";
+        backend = "auto";
+        maxretry = 4;
+        bantime = "52w";
+        findtime = "52w";
+        chain = "FORWARD";
+      };
+    };
+  };
+  environment.etc = {
+    "fail2ban/filter.d/arr.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
+      [INCLUDES]
+      before = common.conf
+
+      [Definition]
+      datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S\.%%f\|
+      failregex = ^\s*Warn\|Auth\|Auth-Failure ip <ADDR> username '<F-USER>[^']+</F-USER>'
+      ignoreregex =
+    '');
+
+    "fail2ban/filter.d/jellyseerr.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
+      [INCLUDES]
+      before = common.conf
+
+      [Definition]
+      failregex = ^.*\[warn\]\[API\]: Failed sign-in attempt using invalid Overseerr password {"ip":"<HOST>","email":
+                  ^.*\[warn\]\[Auth\]: Failed login attempt from user with incorrect Jellyfin credentials {"account":{"ip":"<HOST>","email":
+      ignoreregex =
+    '');
+
+    "fail2ban/filter.d/jellyfin.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
+      [INCLUDES]
+      before = common.conf
+
+      [Definition]
+      failregex = ^.*Authentication request for .* has been denied \(IP: "<ADDR>"\)\.
+      ignoreregex =
+    '');
+  };
+}