Improve fail2ban config

common/fragments/fail2ban.nix

@@ -4,25 +4,27 @@
     maxretry = 10;
     ignoreIP = [ "127.0.0.0/8" "10.0.0.0/8" "192.168.0.0/16" "78.94.116.222" ];
     bantime-increment.enable = true;
+    banaction-allports = "iptables";
 
     jails = {
-      nginx-bad-request = ''
+      nginx-deny = ''
         enabled  = true
-        action   = iptables[type=allports]
+        backend  = auto
+        logpath  = /var/log/nginx/*access.log
+      '';
+      nginx-botsearch = ''
+        enabled = true
       '';
       grafana = ''
         enabled  = true
-        action   = iptables[type=allports]
       '';
     };
   };
 
-  # Workaround for nginx-bad-request not being included
+  environment.etc."fail2ban/filter.d/nginx-deny.conf".text = ''
-  environment.etc."fail2ban/filter.d/nginx-bad-request.conf".source =
+    [Definition]
-    pkgs.fetchurl {
+    failregex =  ^<HOST>.*"(GET|HEAD|POST|PUT|DELETE).*" (400|401|403|405|413|429) .*$
-      url =
+    ignoreregex =
-        "https://raw.githubusercontent.com/fail2ban/fail2ban/master/config/filter.d/nginx-bad-request.conf";
+  '';
-      sha256 = "sha256-fCxNQpN+IAY+2kfeOmunmtipxTjS0gHauTBIKiCtjDY=";
-    };
 }
 

hosts/bloodletting/configuration.nix

@@ -52,7 +52,7 @@
 
   # Open ports in the firewall.
   networking.firewall = {
-    allowedTCPPorts = [ 20 21 22 80 443 990 6162 ];
+    allowedTCPPorts = [ 20 21 22 80 443 990 ];
     allowedTCPPortRanges = [{
       from = 40000;
       to = 40200;