setup fail2ban

block tor exit nodes
2023-10-04 18:49:12 +02:00 · 2023-10-04 18:49:12 +02:00 · d48fb6c13a
parent 23fb7747fb
commit d48fb6c13a
2 changed files with 41 additions and 0 deletions
--- a/flake.nix
+++ b/flake.nix
@ -56,6 +56,7 @@
            ./modules/course-management.nix
            ./modules/courses-phil.nix
            ./modules/gitea.nix
            ./modules/fail2ban.nix
            {
              sops.defaultSopsFile = ./secrets/quitte.yaml;
            }
--- a/modules/fail2ban.nix
+++ b/modules/fail2ban.nix
@ -0,0 +1,40 @@
 { config, lib, pkgs, ... }:
 {
  services.fail2ban = {
    enable = true;
    jails = {
      tor = ''
        enabled = true
        bantime = 25h
        action = iptables-allports[name=fail2banTOR, protocol=all]
      '';
    };
  };
  environment.etc = {
    # dummy filter
    "fail2ban/filter.d/tor.conf".text = ''
      [Definition]
      failregex =
      ignoreregex =
    '';
  };
  systemd.services."fail2ban-tor" = {
    script = ''
      ${lib.getExe pkgs.curl} -fsSL "https://check.torproject.org/torbulkexitlist" | sed '/^#/d' | while read IP; do
        ${config.services.fail2ban.package}/bin/fail2ban-client set "tor" banip "$IP" > /dev/null
      done
    '';
  };
  systemd.timers."fail2ban-tor" = {
    wantedBy = [ "timers.target" ];
    timerConfig = {
      OnCalendar = "daily";
      Persistent = true;
      Unit = "fail2ban-tor.service";
    };
  };
 }