added more fail2ban fiters

2025-03-27 15:40:42 +01:00 · 2025-03-27 15:40:42 +01:00 · 8d848d0c7b
parent 871658d3e8
commit 8d848d0c7b
2 changed files with 48 additions and 2 deletions
--- a/services/.auto-torrent.nix.swp
+++ b/services/.auto-torrent.nix.swp
--- a/services/fail2ban.nix
+++ b/services/fail2ban.nix
@ -35,7 +35,6 @@
          bantime = "24h";
          findtime = "30m";
          journalmatch = "_SYSTEMD_UNIT=jellyfin.service";
-          # logpath = "/var/lib/jellyfin/log/*.log";
        };
      };

@ -49,9 +48,46 @@
          bantime = "24h";
          findtime = "30m";
          journalmatch = "_SYSTEMD_UNIT=forgejo.service";
-          # logpath = "/var/lib/forgejo/log/*.log";
        };
      };
+
+      sonarr = lib.mkIf (config.microvm.vms."auto-torrent" != null) {
+        settings = {
+          filter = "arr";
+          backend = "auto";
+          enabled = true;
+          port = "80,443";
+          maxretry = 8;
+          bantime = "24h";
+          findtime = "30m";
+          logpath = "/var/lib/auto-torrent/sonarr/logs/*.txt";
+        };
+      };
+      radarr = lib.mkIf (config.microvm.vms."auto-torrent" != null) {
+        settings = {
+          filter = "arr";
+          backend = "auto";
+          enabled = true;
+          port = "80,443";
+          maxretry = 8;
+          bantime = "24h";
+          findtime = "30m";
+          logpath = "/var/lib/auto-torrent/radarr/logs/*.txt";
+        };
+      };
+    };
+
+    vaultwarden = lib.mkIf config.services.vaultwarden.enable {
+        settings = {
+          filter = "vaultwarden";
+          backend = "systemd";
+          enabled = true;
+          port = "80,443";
+          maxretry = 8;
+          bantime = "24h";
+          findtime = "30m";
+          journalmatch = "_SYSTEMD_UNIT=vaultwarden.service";
+        };
    };
  };

@ -66,6 +102,16 @@
      [Definition]
      failregex = ^.*Failed authentication attempt for .* from <ADDR>.*$
    '');
+    # *arr
+    "fail2ban/filter.d/arr.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
+      [Definition]
+      failregex = ^.*Auth-Failure ip <ADDR> username.*$
+    '');
+    # Vaultwarden
+    "fail2ban/filter.d/arr.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
+      [Definition]
+      failregex = ^.*Username or password is incorrect. Try again. IP: <ADDR>\. Username: .*$
+    '');
    # Defines a filter that detects URL probing by reading the Nginx access log
    "fail2ban/filter.d/nginx-url-probe.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
      [Definition]