diff --git a/flake.nix b/flake.nix index 10cbe22..8392cb7 100755 --- a/flake.nix +++ b/flake.nix @@ -56,6 +56,7 @@ ./modules/course-management.nix ./modules/courses-phil.nix ./modules/gitea.nix + ./modules/fail2ban.nix { sops.defaultSopsFile = ./secrets/quitte.yaml; } diff --git a/modules/fail2ban.nix b/modules/fail2ban.nix new file mode 100644 index 0000000..f9d8183 --- /dev/null +++ b/modules/fail2ban.nix @@ -0,0 +1,40 @@ +{ config, lib, pkgs, ... }: +{ + services.fail2ban = { + enable = true; + + jails = { + tor = '' + enabled = true + bantime = 25h + action = iptables-allports[name=fail2banTOR, protocol=all] + ''; + }; + }; + + environment.etc = { + # dummy filter + "fail2ban/filter.d/tor.conf".text = '' + [Definition] + failregex = + ignoreregex = + ''; + }; + + systemd.services."fail2ban-tor" = { + script = '' + ${lib.getExe pkgs.curl} -fsSL "https://check.torproject.org/torbulkexitlist" | sed '/^#/d' | while read IP; do + ${config.services.fail2ban.package}/bin/fail2ban-client set "tor" banip "$IP" > /dev/null + done + ''; + }; + + systemd.timers."fail2ban-tor" = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = "daily"; + Persistent = true; + Unit = "fail2ban-tor.service"; + }; + }; +}