diff options
author | Azat Bahawi <azat@bahawi.net> | 2023-07-13 07:39:07 +0300 |
---|---|---|
committer | Azat Bahawi <azat@bahawi.net> | 2023-07-13 07:39:07 +0300 |
commit | 138ff2ae32facaf4f2c072115b1b0f64f05f615a (patch) | |
tree | 1853385d7b07b92c3eb84439170fc719e56cf2c4 /modules/nixos | |
parent | 2023-07-09 (diff) |
2023-07-13
Diffstat (limited to 'modules/nixos')
-rw-r--r-- | modules/nixos/fail2ban.nix | 4 | ||||
-rw-r--r-- | modules/nixos/nginx.nix | 8 | ||||
-rw-r--r-- | modules/nixos/nsd.nix | 4 | ||||
-rw-r--r-- | modules/nixos/openssh.nix | 12 | ||||
-rw-r--r-- | modules/nixos/shadowsocks.nix | 12 | ||||
-rw-r--r-- | modules/nixos/vaultwarden.nix | 54 |
6 files changed, 48 insertions, 46 deletions
diff --git a/modules/nixos/fail2ban.nix b/modules/nixos/fail2ban.nix index a42aab3..ce35c1f 100644 --- a/modules/nixos/fail2ban.nix +++ b/modules/nixos/fail2ban.nix @@ -26,9 +26,7 @@ in { optionals (hasAttr "wireguard" this) (with config.nixfiles.modules.wireguard; [ipv4.subnet ipv6.subnet]); - jails.DEFAULT = '' - blocktype = DROP - ''; + jails.DEFAULT.settings.blocktype = "DROP"; }; }; } diff --git a/modules/nixos/nginx.nix b/modules/nixos/nginx.nix index b8ab24d..411bb0d 100644 --- a/modules/nixos/nginx.nix +++ b/modules/nixos/nginx.nix @@ -79,12 +79,8 @@ in { }; fail2ban.jails = { - nginx-http-auth = '' - enabled = true - ''; - nginx-botsearch = '' - enabled = true - ''; + nginx-http-auth.enabled = true; + nginx-botsearch.enabled = true; }; prometheus.exporters.nginx = { diff --git a/modules/nixos/nsd.nix b/modules/nixos/nsd.nix index f8d9e4b..0060a14 100644 --- a/modules/nixos/nsd.nix +++ b/modules/nixos/nsd.nix @@ -201,9 +201,7 @@ in { ]; }; - fail2ban.jails.nsd = '' - enabled = true - ''; + fail2ban.jails.nsd.enabled = true; }; networking.firewall = rec { diff --git a/modules/nixos/openssh.nix b/modules/nixos/openssh.nix index 22e4b51..4324e45 100644 --- a/modules/nixos/openssh.nix +++ b/modules/nixos/openssh.nix @@ -44,11 +44,13 @@ in { }; }; - fail2ban.jails.sshd = '' - enabled = true - mode = aggressive - port = ${toString cfg.server.port} - ''; + fail2ban.jails.sshd = { + enabled = true; + settings = { + mode = "aggressive"; + inherit (cfg.server) port; + }; + }; }; }; } diff --git a/modules/nixos/shadowsocks.nix b/modules/nixos/shadowsocks.nix index f9997ba..7307933 100644 --- a/modules/nixos/shadowsocks.nix +++ b/modules/nixos/shadowsocks.nix @@ -29,11 +29,13 @@ in { mode = "tcp_only"; }; - fail2ban.jails.shadowsocks-libev = '' - enabled = true - filter = shadowsocks-libev - port = ${toString cfg.port} - ''; + fail2ban.jails.shadowsocks-libev = { + enabled = true; + settings = { + filter = "shadowsocks-libev"; + inherit (cfg) port; + }; + }; }; systemd.services.shadowsocks-libev.path = with pkgs; diff --git a/modules/nixos/vaultwarden.nix b/modules/nixos/vaultwarden.nix index 2475ed3..2aaecf2 100644 --- a/modules/nixos/vaultwarden.nix +++ b/modules/nixos/vaultwarden.nix @@ -104,33 +104,39 @@ in { ]; }; - fail2ban.jails = mkIf config.nixfiles.modules.fail2ban.enable { - vaultwarden = '' - enabled = true - filter = vaultwarden - port = http,https - ''; - vaultwarden-admin = '' - enabled = true - filter = vaultwarden-admin - port = http,https - ''; + fail2ban.jails = { + vaultwarden = { + enabled = true; + settings = { + filter = "vaultwarden"; + port = "http,https"; + }; + }; + vaultwarden-admin = { + enabled = true; + settings = { + filter = "vaultwarden-admin"; + port = "http,https"; + }; + }; }; }; - environment.etc = mkIf config.nixfiles.modules.fail2ban.enable { - "fail2ban/filter.d/vaultwarden.conf".text = '' - [Definition] - failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$ - ignoreregex = - journalmatch = _SYSTEMD_UNIT=vaultwarden.service - ''; - "fail2ban/filter.d/vaultwarden-admin.conf".text = '' - [Definition] - failregex = ^.*Invalid admin token\. IP: <ADDR>.*$ - ignoreregex = - journalmatch = _SYSTEMD_UNIT=vaultwarden.service - ''; + environment.etc = { + "fail2ban/filter.d/vaultwarden.conf".text = generators.toINI {} { + Definition = { + failregex = "^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$"; + ignoreregex = ""; + journalmatch = "_SYSTEMD_UNIT=vaultwarden.service"; + }; + }; + "fail2ban/filter.d/vaultwarden-admin.conf".text = generators.toINI {} { + Definition = { + failregex = "^.*Invalid admin token\. IP: <ADDR>.*$"; + ignoreregex = ""; + journalmatch = "_SYSTEMD_UNIT=vaultwarden.service"; + }; + }; }; }; } |