stuf + wake on lan

modules/networking.nix

@@ -10,6 +10,9 @@
     allowedUDPPorts = [];
   };
 
+  networking.wakeOnLan.enable = true;
+  networking.enp2s0.wakeOnLan.policy = "magic";
+
   networking.interfaces.enp2s0 = {
     ipv4.addresses = [
       {

services/fail2ban.nix

@@ -1,7 +1,20 @@
-{config, ...}: {
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}: {
   services.fail2ban = {
     enable = true;
 
+    bantime = "24h";
+    bantime-increment = {
+      enable = true;
+      formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(banFactor)";
+      maxtime = "6969h";
+      overalljails = true;
+    };
+
     jails = {
       dovecot = lib.mkIf config.services.dovecot2.enable {
         settings = {
@@ -13,9 +26,11 @@
       };
 
       jellyfin = lib.mkIf config.services.jellyfin.enable {
+        settings = {
+          filter = "jellyfin";
           backend = "auto";
           enabled = true;
-        port = [80 443];
+          port = "8096,8920";
           maxretry = 3;
           bantime = 86400;
           findtime = 43200;
@@ -23,4 +38,17 @@
         };
       };
     };
+  };
+
+  environment.etc = {
+    "fail2ban/filter.d/jellyfin.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
+      [Definition]
+      failregex = ^.*Authentication request for .* has been denied \(IP: <ADDR>\)\.
+    '');
+    # Defines a filter that detects URL probing by reading the Nginx access log
+    "fail2ban/filter.d/nginx-url-probe.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
+      [Definition]
+      failregex = ^<HOST>.*(GET /(wp-|admin|boaform|phpmyadmin|\.env|\.git)|\.(dll|so|cfm|asp)|(\?|&)(=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000|=PHPE9568F36-D428-11d2-A769-00AA001ACF42|=PHPE9568F35-D428-11d2-A769-00AA001ACF42|=PHPE9568F34-D428-11d2-A769-00AA001ACF42)|\\x[0-9a-zA-Z]{2})
+    '');
+  };
 }