From adc4ce9d8a47abe24c996f6fd84755c3ca76bf21 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Sun, 3 Sep 2023 12:21:04 +0200 Subject: [PATCH 1/3] modules: services: indexers: add prowlarr fail2ban --- modules/services/indexers/default.nix | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/modules/services/indexers/default.nix b/modules/services/indexers/default.nix index 66f1604..fb06a0b 100644 --- a/modules/services/indexers/default.nix +++ b/modules/services/indexers/default.nix @@ -60,6 +60,22 @@ in port = prowlarrPort; } ]; + + services.fail2ban.jails = { + prowlarr = '' + enabled = true + filter = prowlarr + action = iptables-allports + ''; + }; + + environment.etc = { + "fail2ban/filter.d/prowlarr.conf".text = '' + [Definition] + failregex = ^.*\|Warn\|Auth\|Auth-Failure ip username .*$ + journalmatch = _SYSTEMD_UNIT=prowlarr.service + ''; + }; }) ]; } From 14bf03e5fd8f0c9285f131d25b89f6e33799c5df Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Sun, 3 Sep 2023 12:22:02 +0200 Subject: [PATCH 2/3] modules: services: pirate: refactor This will make adding fail2ban jails easier. --- modules/services/pirate/default.nix | 48 ++++++++++++++++++++--------- 1 file changed, 33 insertions(+), 15 deletions(-) diff --git a/modules/services/pirate/default.nix b/modules/services/pirate/default.nix index 42dd12b..96f5ad4 100644 --- a/modules/services/pirate/default.nix +++ b/modules/services/pirate/default.nix @@ -13,26 +13,44 @@ let sonarr = 8989; }; - managers = with lib.attrsets; - (mapAttrs - (_: _: { - enable = true; - group = "media"; - }) - ports); + mkService = service: { + services.${service} = { + enable = true; + group = "media"; + }; + }; - redirections = lib.flip lib.mapAttrsToList ports - (subdomain: port: { inherit subdomain port; }); + mkRedirection = service: { + my.services.nginx.virtualHosts = [ + { + subdomain = service; + port = ports.${service}; + } + ]; + }; + + mkFullConfig = service: lib.mkMerge [ + (mkService service) + (mkRedirection service) + ]; in { options.my.services.pirate = { enable = lib.mkEnableOption "Media automation"; }; - config = lib.mkIf cfg.enable { - services = managers; - my.services.nginx.virtualHosts = redirections; - # Set-up media group - users.groups.media = { }; - }; + config = lib.mkIf cfg.enable (lib.mkMerge [ + { + # Set-up media group + users.groups.media = { }; + } + # Bazarr for subtitles + (mkFullConfig "bazarr") + # Lidarr for music + (mkFullConfig "lidarr") + # Radarr for movies + (mkFullConfig "radarr") + # Sonarr for shows + (mkFullConfig "sonarr") + ]); } From fc8ccb8b990730bc95be0a08f499a77b17779aea Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Sun, 3 Sep 2023 12:43:46 +0200 Subject: [PATCH 3/3] modules: services: pirate: add fail2ban jails --- modules/services/pirate/default.nix | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/modules/services/pirate/default.nix b/modules/services/pirate/default.nix index 96f5ad4..7c341e7 100644 --- a/modules/services/pirate/default.nix +++ b/modules/services/pirate/default.nix @@ -29,6 +29,24 @@ let ]; }; + mkFail2Ban = service: { + services.fail2ban.jails = { + ${service} = '' + enabled = true + filter = ${service} + action = iptables-allports + ''; + }; + + environment.etc = { + "fail2ban/filter.d/${service}.conf".text = '' + [Definition] + failregex = ^.*\|Warn\|Auth\|Auth-Failure ip username .*$ + journalmatch = _SYSTEMD_UNIT=${service}.service + ''; + }; + }; + mkFullConfig = service: lib.mkMerge [ (mkService service) (mkRedirection service) @@ -44,13 +62,16 @@ in # Set-up media group users.groups.media = { }; } - # Bazarr for subtitles + # Bazarr does not log authentication failures... (mkFullConfig "bazarr") # Lidarr for music (mkFullConfig "lidarr") + (mkFail2Ban "lidarr") # Radarr for movies (mkFullConfig "radarr") + (mkFail2Ban "radarr") # Sonarr for shows (mkFullConfig "sonarr") + (mkFail2Ban "sonarr") ]); }