From 138ff2ae32facaf4f2c072115b1b0f64f05f615a Mon Sep 17 00:00:00 2001 From: Azat Bahawi Date: Thu, 13 Jul 2023 07:39:07 +0300 Subject: 2023-07-13 --- modules/nixos/fail2ban.nix | 4 +--- modules/nixos/nginx.nix | 8 ++----- modules/nixos/nsd.nix | 4 +--- modules/nixos/openssh.nix | 12 ++++++---- modules/nixos/shadowsocks.nix | 12 ++++++---- modules/nixos/vaultwarden.nix | 54 ++++++++++++++++++++++++------------------- 6 files changed, 48 insertions(+), 46 deletions(-) (limited to 'modules/nixos') diff --git a/modules/nixos/fail2ban.nix b/modules/nixos/fail2ban.nix index a42aab3..ce35c1f 100644 --- a/modules/nixos/fail2ban.nix +++ b/modules/nixos/fail2ban.nix @@ -26,9 +26,7 @@ in { optionals (hasAttr "wireguard" this) (with config.nixfiles.modules.wireguard; [ipv4.subnet ipv6.subnet]); - jails.DEFAULT = '' - blocktype = DROP - ''; + jails.DEFAULT.settings.blocktype = "DROP"; }; }; } diff --git a/modules/nixos/nginx.nix b/modules/nixos/nginx.nix index b8ab24d..411bb0d 100644 --- a/modules/nixos/nginx.nix +++ b/modules/nixos/nginx.nix @@ -79,12 +79,8 @@ in { }; fail2ban.jails = { - nginx-http-auth = '' - enabled = true - ''; - nginx-botsearch = '' - enabled = true - ''; + nginx-http-auth.enabled = true; + nginx-botsearch.enabled = true; }; prometheus.exporters.nginx = { diff --git a/modules/nixos/nsd.nix b/modules/nixos/nsd.nix index f8d9e4b..0060a14 100644 --- a/modules/nixos/nsd.nix +++ b/modules/nixos/nsd.nix @@ -201,9 +201,7 @@ in { ]; }; - fail2ban.jails.nsd = '' - enabled = true - ''; + fail2ban.jails.nsd.enabled = true; }; networking.firewall = rec { diff --git a/modules/nixos/openssh.nix b/modules/nixos/openssh.nix index 22e4b51..4324e45 100644 --- a/modules/nixos/openssh.nix +++ b/modules/nixos/openssh.nix @@ -44,11 +44,13 @@ in { }; }; - fail2ban.jails.sshd = '' - enabled = true - mode = aggressive - port = ${toString cfg.server.port} - ''; + fail2ban.jails.sshd = { + enabled = true; + settings = { + mode = "aggressive"; + inherit (cfg.server) port; + }; + }; }; }; } diff --git a/modules/nixos/shadowsocks.nix b/modules/nixos/shadowsocks.nix index f9997ba..7307933 100644 --- a/modules/nixos/shadowsocks.nix +++ b/modules/nixos/shadowsocks.nix @@ -29,11 +29,13 @@ in { mode = "tcp_only"; }; - fail2ban.jails.shadowsocks-libev = '' - enabled = true - filter = shadowsocks-libev - port = ${toString cfg.port} - ''; + fail2ban.jails.shadowsocks-libev = { + enabled = true; + settings = { + filter = "shadowsocks-libev"; + inherit (cfg) port; + }; + }; }; systemd.services.shadowsocks-libev.path = with pkgs; diff --git a/modules/nixos/vaultwarden.nix b/modules/nixos/vaultwarden.nix index 2475ed3..2aaecf2 100644 --- a/modules/nixos/vaultwarden.nix +++ b/modules/nixos/vaultwarden.nix @@ -104,33 +104,39 @@ in { ]; }; - fail2ban.jails = mkIf config.nixfiles.modules.fail2ban.enable { - vaultwarden = '' - enabled = true - filter = vaultwarden - port = http,https - ''; - vaultwarden-admin = '' - enabled = true - filter = vaultwarden-admin - port = http,https - ''; + fail2ban.jails = { + vaultwarden = { + enabled = true; + settings = { + filter = "vaultwarden"; + port = "http,https"; + }; + }; + vaultwarden-admin = { + enabled = true; + settings = { + filter = "vaultwarden-admin"; + port = "http,https"; + }; + }; }; }; - environment.etc = mkIf config.nixfiles.modules.fail2ban.enable { - "fail2ban/filter.d/vaultwarden.conf".text = '' - [Definition] - failregex = ^.*Username or password is incorrect\. Try again\. IP: \. Username:.*$ - ignoreregex = - journalmatch = _SYSTEMD_UNIT=vaultwarden.service - ''; - "fail2ban/filter.d/vaultwarden-admin.conf".text = '' - [Definition] - failregex = ^.*Invalid admin token\. IP: .*$ - ignoreregex = - journalmatch = _SYSTEMD_UNIT=vaultwarden.service - ''; + environment.etc = { + "fail2ban/filter.d/vaultwarden.conf".text = generators.toINI {} { + Definition = { + failregex = "^.*Username or password is incorrect\. Try again\. IP: \. Username:.*$"; + ignoreregex = ""; + journalmatch = "_SYSTEMD_UNIT=vaultwarden.service"; + }; + }; + "fail2ban/filter.d/vaultwarden-admin.conf".text = generators.toINI {} { + Definition = { + failregex = "^.*Invalid admin token\. IP: .*$"; + ignoreregex = ""; + journalmatch = "_SYSTEMD_UNIT=vaultwarden.service"; + }; + }; }; }; } -- cgit 1.4.1