From 6e69171320825dd86cf4cd02948c6339218967e8 Mon Sep 17 00:00:00 2001 From: k Date: Sun, 10 May 2026 15:42:33 -0400 Subject: [PATCH] port and fail2ban update --- hosts/server/service.nix | 43 +++++++++++++++++++++++++++++++++++++--- 1 file changed, 40 insertions(+), 3 deletions(-) diff --git a/hosts/server/service.nix b/hosts/server/service.nix index 943a3e1..a7ab35e 100644 --- a/hosts/server/service.nix +++ b/hosts/server/service.nix @@ -6,8 +6,8 @@ networking = { firewall = { enable = true; - allowedTCPPorts = [80 443 22 25565 26615 8080 53 19132]; - allowedUDPPorts = [26615 8080 1900 51820 53 19132]; + allowedTCPPorts = [80 443 51820 2020 26615]; + allowedUDPPorts = [51820 24454 26615]; }; nat.externalInterface = "wlp0s20f3"; nat.internalInterfaces = ["wg0"]; @@ -54,7 +54,44 @@ jellyfin = {enable = true;}; - fail2ban = {enable = true;}; + fail2ban = { + enable = true; + jails = { + nginx-http-auth = { + settings = { + enabled = true; + port = "http,https"; + logpath = "/var/log/nginx/error.log"; + # "auto" or "polling" is required for file-based logs on NixOS + backend = "auto"; + }; + }; + + nginx-botsearch = { + settings = { + enabled = true; + port = "http,https"; + logpath = "/var/log/nginx/access.log"; + backend = "auto"; + maxretry = 2; + }; + }; + recidive = { + settings = { + enabled = true; + port = "allports"; + protocol = "all"; + # Look for 'Ban' messages in fail2ban's own log + backend = "systemd"; + #logpath = "/var/log/fail2ban.log"; + #backend = "auto"; + bantime = "1w"; # Ban for 1 week + findtime = "1d"; # Look back 1 day + maxretry = 5; # If they were banned 5 times in 24 hours + }; + }; + }; + }; postgresql = {enable = true;};