From 442dddd11e1affa443a9362a4795b9b9958bc0a8 Mon Sep 17 00:00:00 2001
From: Linnnus <linnnus@users.noreply.github.com>
Date: Thu, 13 Mar 2025 08:20:00 +0100
Subject: ahmed: Add basic fail2ban

---
 hosts/ahmed/nginx/default.nix | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

(limited to 'hosts/ahmed/nginx')

diff --git a/hosts/ahmed/nginx/default.nix b/hosts/ahmed/nginx/default.nix
index 24dde85..55e6925 100644
--- a/hosts/ahmed/nginx/default.nix
+++ b/hosts/ahmed/nginx/default.nix
@@ -15,4 +15,38 @@
 
   # Allow HTTP connections.
   networking.firewall.allowedTCPPorts = [80 443];
+
+  services.fail2ban = {
+    enable = true;
+
+    jails = {
+      "nginx-http-auth".settings = {
+        enabled = true;
+        port = "http,https";
+        filter = "nginx-http-auth";
+        logpath = "%(nginx_error_log)s";
+      };
+
+      "nginx-botsearch".settings = {
+        enabled = true;
+        port = "http,https";
+        filter = "nginx-botsearch";
+        logpath = "%(nginx_access_log)s";
+      };
+
+      "nginx-forbidden".settings = {
+        enabled = true;
+        port = "http,https";
+        filter = "nginx-forbidden";
+        logpath = "%(nginx_error_log)s";
+      };
+
+      "nginx-sslerror".settings = {
+        enabled = true;
+        port = "http,https";
+        filter = "nginx-bad-request";
+        logpath = "%(nginx_error_log)s";
+      };
+    };
+  };
 }
-- 
cgit v1.2.3