feat: add fail2ban to hyp-01

Signed-off-by: Lander Van den Bulcke <landervandenbulcke@gmail.com>

hosts/hyp-01/default.nix

@@ -17,6 +17,7 @@
 
     ./modules/boot.nix
     ./modules/disko.nix
+    ./modules/fail2ban.nix
     ./modules/impermanence.nix
     ./modules/networking.nix
     ./modules/users.nix

hosts/hyp-01/modules/fail2ban.nix

@@ -0,0 +1,23 @@
+{ pkgs, ... }:
+{
+  environment.etc = {
+    "fail2ban/filter.d/nginx-bruteforce.conf".text = ''
+      [Definition]
+      failregex = ^<HOST>.*GET.*(matrix/server|\.php|admin|wp\-).* HTTP/\d.\d\" 404.*$
+    '';
+  };
+
+  services.fail2ban = {
+    enable = true;
+
+    ignoreIP = [
+      "100.64.0.0/24" # tailnet
+    ];
+
+    maxretry = 3;
+    bantime = "2h";
+
+    extraPackages = [ pkgs.ipset ];
+    banaction = "iptables-ipset-proto6-allports";
+  };
+}