nix-infra/common/fragments/fail2ban.nix

{ config, pkgs, ... }: {
  services.fail2ban = {
    enable = true;
    maxretry = 10;
    ignoreIP = [ "127.0.0.0/8" "10.0.0.0/8" "192.168.0.0/16" "78.94.116.222" ];
    bantime-increment.enable = true;
    banaction-allports = "iptables";

    jails = {
      nginx-deny = ''
        enabled  = false
        backend  = auto
        logpath  = /var/log/nginx/*access.log
      '';
      nginx-botsearch = ''
        enabled = true
      '';
      grafana = ''
        enabled  = true
      '';
    };
  };

  environment.etc."fail2ban/filter.d/nginx-deny.conf".text = ''
    [Definition]
    failregex =  ^<HOST>.*"(GET|HEAD|POST|PUT|DELETE).*" (400|401|403|405|413|429) .*$
    ignoreregex =
  '';
}