Networking: add firewall & fail2ban

modules/nixos/networking/default.nix

@@ -6,6 +6,8 @@
   inherit (lib.modules) mkDefault mkForce;
 in {
   imports = [
+    ./firewall
+
     ./tailscale.nix
   ];
 

modules/nixos/networking/firewall/default.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./fail2ban.nix
+  ];
+}

modules/nixos/networking/firewall/fail2ban.nix

@@ -0,0 +1,65 @@
+{
+  lib,
+  config,
+  ...
+}: let
+  inherit (lib.modules) mkIf mkMerge mkForce;
+  inherit (lib.strings) concatStringsSep;
+
+  cfg = config.olympus.services;
+in {
+  services.fail2ban = {
+    enable = true;
+    maxretry = 7;
+    ignoreIP = [
+      "127.0.0.0/8"
+      "10.0.0.0/8"
+      "192.168.0.0/16"
+      "100.64.0.0/10" # tailscale
+    ];
+
+    jails = mkMerge [
+      {
+        # sshd jail
+        sshd = mkForce ''
+          enabled = true
+          port = ${concatStringsSep "," (map toString config.services.openssh.ports)}
+          mode = aggressive
+        '';
+      }
+
+      (mkIf cfg.vaultwarden.enable {
+        # vaultwarden and vaultwarden admin interface jails
+        vaultwarden = ''
+          enabled = true
+          port = 80,443,8822
+          filter = vaultwarden
+          banaction = %(banaction_allports)s
+          logpath = /var/log/vaultwarden.log
+          maxretry = 3
+          bantime = 14400
+          findtime = 14400
+        '';
+
+        vaultwarden-admin = ''
+          enabled = true
+          port = 80,443
+          filter = vaultwarden-admin
+          banaction = %(banaction_allports)s
+          logpath = /var/log/vaultwarden.log
+          maxretry = 3
+          bantime = 14400
+          findtime = 14400
+        '';
+      })
+    ];
+
+    bantime-increment = {
+      enable = true;
+      rndtime = "12m";
+      overalljails = true;
+      multipliers = "4 8 16 32 64 128 256 512 1024 2048";
+      maxtime = "192h";
+    };
+  };
+}