feat(servers): secure them even more.

2025-10-16 22:33:26 +02:00 · 2025-10-16 22:33:26 +02:00 · 636ef55e50
commit 636ef55e50
parent bda1048f47
2 changed files with 39 additions and 0 deletions
--- a/modules/servers/general/openssh.nix
+++ b/modules/servers/general/openssh.nix
@ -21,8 +21,16 @@

  services.fail2ban = {
    enable = true;
+    maxretry = 5;
    ignoreIP = [
      "65.21.241.194"
    ];
+    bantime = "24h"; # Ban IPs for one day on the first ban
+    bantime-increment = {
+      enable = true; # Enable increment of bantime after each violation
+      multipliers = "1 2 4 8 16 32 64";
+      maxtime = "168h"; # Do not ban for more than 1 week
+      overalljails = true; # Calculate the bantime based on all the violations
+    };
  };
 }
--- a/modules/servers/general/traefik.nix
+++ b/modules/servers/general/traefik.nix
@ -4,6 +4,14 @@
    staticConfigOptions = {
      serversTransport.insecureSkipVerify = true;
      log = {level = "DEBUG";};
+      experimental = {
+        plugins = {
+          fail2ban = {
+            moduleName = "github.com/tomMoulard/fail2ban";
+            version = "v0.8.7";
+          };
+        };
+      };
      certificatesResolvers = {
        porkbun = {
          acme = {
@ -32,6 +40,29 @@
        };
        websecure = {
          address = ":443";
+          http.middlewares = [
+            "fail2ban"
+          ];
+        };
+      };
+    };
+    dynamicConfigOptions.http = {
+      middlewares = {
+        fail2ban = {
+          plugin = {
+            fail2ban = {
+              rules = {
+                bantime = "168h";
+                enabled = true;
+                findtime = "10m";
+                maxretry = 4;
+                statuscode = "400,401,403-499";
+              };
+              allowlist = {
+                ip = ["65.21.241.194"];
+              };
+            };
+          };
        };
      };
    };