From a9c1c37c71bdee82d21ab227ec590c117a20f7b1 Mon Sep 17 00:00:00 2001
From: uttarayan21 <email@uttarayan.me>
Date: Fri, 22 Nov 2024 21:45:51 +0530
Subject: [PATCH] feat: Added fail2ban

---
 nixos/mirai/services.nix | 45 ++++++++++++++++++++++++++++++++++------
 1 file changed, 39 insertions(+), 6 deletions(-)

diff --git a/nixos/mirai/services.nix b/nixos/mirai/services.nix
index 4a415522..bce88b53 100644
--- a/nixos/mirai/services.nix
+++ b/nixos/mirai/services.nix
@@ -18,15 +18,22 @@
     #   instances.darksailor = {
     #     enable = false;
     #     settings = {
-    #       # server = {
-    #       #   address = "unix:///run/authelia/authelia.sock";
-    #       # };
-    #       # session.domain = "auth.darksailor.dev";
+    #       authentication_backend = {
+    #         password_reset.disable = false;
+    #         file = {};
+    #       };
     #       access_control = {
-    #         rules = {
+    #         default_policy = "one_factor";
+    #       };
+    #       storage = {
+    #         local = {
+    #           path = "/var/lib/authelia/darksailor.sqlite3";
     #         };
     #       };
-    #       storage = "local";
+    #       theme = "dark";
+    #       server = {
+    #         address = "127.0.0.1:5555";
+    #       };
     #     };
     #     secrets = {
     #       jwtSecretFile = config.sops.secrets."authelia/darksailor/jwtSecret".path;
@@ -34,6 +41,29 @@
     #     };
     #   };
     # };
+    fail2ban = {
+      enable = true;
+      bantime = "24h"; # Ban IPs for one day on the first ban
+      bantime-increment = {
+        enable = true; # Enable increment of bantime after each violation
+        # formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
+        multipliers = "1 2 4 8 16 32 64";
+        maxtime = "168h"; # Do not ban for more than 1 week
+        overalljails = true; # Calculate the bantime based on all the violations
+      };
+      jails.apache-nohome-iptables.settings = {
+        # Block an IP address if it accesses a non-existent
+        # home directory more than 5 times in 10 minutes,
+        # since that indicates that it's scanning.
+        filter = "apache-nohome";
+        action = ''iptables-multiport[name=HTTP, port="http,https"]'';
+        logpath = "/var/log/httpd/error_log*";
+        backend = "auto";
+        findtime = 600;
+        bantime = 600;
+        maxretry = 5;
+      };
+    };
     tailscale = {
       enable = true;
     };
@@ -94,6 +124,9 @@
       virtualHosts."llama.darksailor.dev".extraConfig = ''
         reverse_proxy localhost:3000
       '';
+      virtualHosts."auth.darksailor.dev".extraConfig = ''
+        reverse_proxy localhost:5555
+      '';
     };
   };
 }