From 86347a68de0ed0df233f4c7d385fc5e8f21f157d Mon Sep 17 00:00:00 2001
From: Lander Van den Bulcke <landervandenbulcke@gmail.com>
Date: Thu, 23 Oct 2025 21:39:19 +0200
Subject: [PATCH] feat: enable fail2ban

Signed-off-by: Lander Van den Bulcke <landervandenbulcke@gmail.com>
---
 hosts/servers/common.nix     | 27 +++++++++++++++++++++++++++
 hosts/servers/hosting-01.nix | 12 ++++++++++++
 hosts/servers/hosting-02.nix | 19 +++++++++++++------
 hosts/servers/mail-01.nix    | 20 ++++++++++++++++++++
 4 files changed, 72 insertions(+), 6 deletions(-)

diff --git a/hosts/servers/common.nix b/hosts/servers/common.nix
index 87e9701..2ca4e68 100644
--- a/hosts/servers/common.nix
+++ b/hosts/servers/common.nix
@@ -51,6 +51,33 @@
     '';
   };
 
+  environment.etc = {
+    "fail2ban/filter.d/nginx-bruteforce.conf".text = ''
+      [Definition]
+      failregex = ^<HOST>.*GET.*(matrix/server|\.php|admin|wp\-).* HTTP/\d.\d\" 404.*$
+    '';
+
+    "fail2ban/filter.d/postfix-bruteforce.conf".text = ''
+      [Definition]
+      failregex = warning: [\w\.\-]+\[<HOST>\]: SASL LOGIN authentication failed.*$
+      journalmatch = _SYSTEMD_UNIT=postfix.service
+    '';
+  };
+
+  services.fail2ban = {
+    enable = true;
+
+    ignoreIP = [
+      "100.64.0.0/24" # tailnet
+    ];
+
+    maxretry = 3;
+    bantime = "2h";
+
+    extraPackages = [ pkgs.ipset ];
+    banaction = "iptables-ipset-proto6-allports";
+  };
+
   sops.secrets.tailscale-authkey = {
     owner = "root";
     group = "root";
diff --git a/hosts/servers/hosting-01.nix b/hosts/servers/hosting-01.nix
index 12ae1ff..5ee3632 100644
--- a/hosts/servers/hosting-01.nix
+++ b/hosts/servers/hosting-01.nix
@@ -29,6 +29,18 @@ in
     ];
   };
 
+  services.fail2ban.jails = {
+    # max 6 failures in 600 seconds
+    "nginx-spam" = ''
+      enabled  = true
+      filter   = nginx-bruteforce
+      logpath = /var/log/nginx/access.log
+      backend = auto
+      maxretry = 6
+      findtime = 600
+    '';
+  };
+
   services.nginx = {
     enable = true;
     recommendedGzipSettings = true;
diff --git a/hosts/servers/hosting-02.nix b/hosts/servers/hosting-02.nix
index 603c55d..99496e8 100644
--- a/hosts/servers/hosting-02.nix
+++ b/hosts/servers/hosting-02.nix
@@ -1,9 +1,4 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
+{ config, pkgs, ... }:
 {
 
   systemd.network.networks."30-wan".addresses = [
@@ -23,6 +18,18 @@
     ];
   };
 
+  services.fail2ban.jails = {
+    # max 6 failures in 600 seconds
+    "nginx-spam" = ''
+      enabled  = true
+      filter   = nginx-bruteforce
+      logpath = /var/log/nginx/access.log
+      backend = auto
+      maxretry = 6
+      findtime = 600
+    '';
+  };
+
   services.namespaced-vpn = {
     enable = true;
     ips = [
diff --git a/hosts/servers/mail-01.nix b/hosts/servers/mail-01.nix
index a779fa8..94ddbb6 100644
--- a/hosts/servers/mail-01.nix
+++ b/hosts/servers/mail-01.nix
@@ -12,6 +12,26 @@ in
     }
   ];
 
+  services.fail2ban.jails = {
+    # max 6 failures in 600 seconds
+    "nginx-spam" = ''
+      enabled  = true
+      filter   = nginx-bruteforce
+      logpath = /var/log/nginx/access.log
+      backend = auto
+      maxretry = 6
+      findtime = 600
+    '';
+
+    # max 3 failures in 600 seconds
+    "postfix-bruteforce" = ''
+      enabled = true
+      filter = postfix-bruteforce
+      findtime = 600
+      maxretry = 3
+    '';
+  };
+
   mailserver = {
     enable = true;
     fqdn = "mail.escapeangle.com";