about summary refs log tree commit diff
path: root/modules/nixos
diff options
context:
space:
mode:
Diffstat (limited to 'modules/nixos')
-rw-r--r--modules/nixos/fail2ban.nix4
-rw-r--r--modules/nixos/nginx.nix8
-rw-r--r--modules/nixos/nsd.nix4
-rw-r--r--modules/nixos/openssh.nix12
-rw-r--r--modules/nixos/shadowsocks.nix12
-rw-r--r--modules/nixos/vaultwarden.nix54
6 files changed, 48 insertions, 46 deletions
diff --git a/modules/nixos/fail2ban.nix b/modules/nixos/fail2ban.nix
index a42aab3..ce35c1f 100644
--- a/modules/nixos/fail2ban.nix
+++ b/modules/nixos/fail2ban.nix
@@ -26,9 +26,7 @@ in {
         optionals (hasAttr "wireguard" this)
         (with config.nixfiles.modules.wireguard; [ipv4.subnet ipv6.subnet]);
 
-      jails.DEFAULT = ''
-        blocktype = DROP
-      '';
+      jails.DEFAULT.settings.blocktype = "DROP";
     };
   };
 }
diff --git a/modules/nixos/nginx.nix b/modules/nixos/nginx.nix
index b8ab24d..411bb0d 100644
--- a/modules/nixos/nginx.nix
+++ b/modules/nixos/nginx.nix
@@ -79,12 +79,8 @@ in {
       };
 
       fail2ban.jails = {
-        nginx-http-auth = ''
-          enabled = true
-        '';
-        nginx-botsearch = ''
-          enabled = true
-        '';
+        nginx-http-auth.enabled = true;
+        nginx-botsearch.enabled = true;
       };
 
       prometheus.exporters.nginx = {
diff --git a/modules/nixos/nsd.nix b/modules/nixos/nsd.nix
index f8d9e4b..0060a14 100644
--- a/modules/nixos/nsd.nix
+++ b/modules/nixos/nsd.nix
@@ -201,9 +201,7 @@ in {
             ];
       };
 
-      fail2ban.jails.nsd = ''
-        enabled = true
-      '';
+      fail2ban.jails.nsd.enabled = true;
     };
 
     networking.firewall = rec {
diff --git a/modules/nixos/openssh.nix b/modules/nixos/openssh.nix
index 22e4b51..4324e45 100644
--- a/modules/nixos/openssh.nix
+++ b/modules/nixos/openssh.nix
@@ -44,11 +44,13 @@ in {
         };
       };
 
-      fail2ban.jails.sshd = ''
-        enabled = true
-        mode = aggressive
-        port = ${toString cfg.server.port}
-      '';
+      fail2ban.jails.sshd = {
+        enabled = true;
+        settings = {
+          mode = "aggressive";
+          inherit (cfg.server) port;
+        };
+      };
     };
   };
 }
diff --git a/modules/nixos/shadowsocks.nix b/modules/nixos/shadowsocks.nix
index f9997ba..7307933 100644
--- a/modules/nixos/shadowsocks.nix
+++ b/modules/nixos/shadowsocks.nix
@@ -29,11 +29,13 @@ in {
         mode = "tcp_only";
       };
 
-      fail2ban.jails.shadowsocks-libev = ''
-        enabled = true
-        filter = shadowsocks-libev
-        port = ${toString cfg.port}
-      '';
+      fail2ban.jails.shadowsocks-libev = {
+        enabled = true;
+        settings = {
+          filter = "shadowsocks-libev";
+          inherit (cfg) port;
+        };
+      };
     };
 
     systemd.services.shadowsocks-libev.path = with pkgs;
diff --git a/modules/nixos/vaultwarden.nix b/modules/nixos/vaultwarden.nix
index 2475ed3..2aaecf2 100644
--- a/modules/nixos/vaultwarden.nix
+++ b/modules/nixos/vaultwarden.nix
@@ -104,33 +104,39 @@ in {
           ];
         };
 
-        fail2ban.jails = mkIf config.nixfiles.modules.fail2ban.enable {
-          vaultwarden = ''
-            enabled = true
-            filter = vaultwarden
-            port = http,https
-          '';
-          vaultwarden-admin = ''
-            enabled = true
-            filter = vaultwarden-admin
-            port = http,https
-          '';
+        fail2ban.jails = {
+          vaultwarden = {
+            enabled = true;
+            settings = {
+              filter = "vaultwarden";
+              port = "http,https";
+            };
+          };
+          vaultwarden-admin = {
+            enabled = true;
+            settings = {
+              filter = "vaultwarden-admin";
+              port = "http,https";
+            };
+          };
         };
       };
 
-      environment.etc = mkIf config.nixfiles.modules.fail2ban.enable {
-        "fail2ban/filter.d/vaultwarden.conf".text = ''
-          [Definition]
-          failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
-          ignoreregex =
-          journalmatch = _SYSTEMD_UNIT=vaultwarden.service
-        '';
-        "fail2ban/filter.d/vaultwarden-admin.conf".text = ''
-          [Definition]
-          failregex = ^.*Invalid admin token\. IP: <ADDR>.*$
-          ignoreregex =
-          journalmatch = _SYSTEMD_UNIT=vaultwarden.service
-        '';
+      environment.etc = {
+        "fail2ban/filter.d/vaultwarden.conf".text = generators.toINI {} {
+          Definition = {
+            failregex = "^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$";
+            ignoreregex = "";
+            journalmatch = "_SYSTEMD_UNIT=vaultwarden.service";
+          };
+        };
+        "fail2ban/filter.d/vaultwarden-admin.conf".text = generators.toINI {} {
+          Definition = {
+            failregex = "^.*Invalid admin token\. IP: <ADDR>.*$";
+            ignoreregex = "";
+            journalmatch = "_SYSTEMD_UNIT=vaultwarden.service";
+          };
+        };
       };
     };
 }

Consider giving Nix/NixOS a try! <3