From e135815d690eb863828fc7d41b79d392a0a207b6 Mon Sep 17 00:00:00 2001
From: blahai <github@blahai.gay>
Date: Mon, 27 Jan 2025 13:34:17 +0200
Subject: [PATCH] Networking: add firewall & fail2ban

---
 modules/nixos/networking/default.nix          |  2 +
 modules/nixos/networking/firewall/default.nix |  5 ++
 .../nixos/networking/firewall/fail2ban.nix    | 65 +++++++++++++++++++
 3 files changed, 72 insertions(+)
 create mode 100644 modules/nixos/networking/firewall/default.nix
 create mode 100644 modules/nixos/networking/firewall/fail2ban.nix

diff --git a/modules/nixos/networking/default.nix b/modules/nixos/networking/default.nix
index a758050..dfe53b3 100644
--- a/modules/nixos/networking/default.nix
+++ b/modules/nixos/networking/default.nix
@@ -6,6 +6,8 @@
   inherit (lib.modules) mkDefault mkForce;
 in {
   imports = [
+    ./firewall
+
     ./tailscale.nix
   ];
 
diff --git a/modules/nixos/networking/firewall/default.nix b/modules/nixos/networking/firewall/default.nix
new file mode 100644
index 0000000..355c802
--- /dev/null
+++ b/modules/nixos/networking/firewall/default.nix
@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./fail2ban.nix
+  ];
+}
diff --git a/modules/nixos/networking/firewall/fail2ban.nix b/modules/nixos/networking/firewall/fail2ban.nix
new file mode 100644
index 0000000..2f09006
--- /dev/null
+++ b/modules/nixos/networking/firewall/fail2ban.nix
@@ -0,0 +1,65 @@
+{
+  lib,
+  config,
+  ...
+}: let
+  inherit (lib.modules) mkIf mkMerge mkForce;
+  inherit (lib.strings) concatStringsSep;
+
+  cfg = config.olympus.services;
+in {
+  services.fail2ban = {
+    enable = true;
+    maxretry = 7;
+    ignoreIP = [
+      "127.0.0.0/8"
+      "10.0.0.0/8"
+      "192.168.0.0/16"
+      "100.64.0.0/10" # tailscale
+    ];
+
+    jails = mkMerge [
+      {
+        # sshd jail
+        sshd = mkForce ''
+          enabled = true
+          port = ${concatStringsSep "," (map toString config.services.openssh.ports)}
+          mode = aggressive
+        '';
+      }
+
+      (mkIf cfg.vaultwarden.enable {
+        # vaultwarden and vaultwarden admin interface jails
+        vaultwarden = ''
+          enabled = true
+          port = 80,443,8822
+          filter = vaultwarden
+          banaction = %(banaction_allports)s
+          logpath = /var/log/vaultwarden.log
+          maxretry = 3
+          bantime = 14400
+          findtime = 14400
+        '';
+
+        vaultwarden-admin = ''
+          enabled = true
+          port = 80,443
+          filter = vaultwarden-admin
+          banaction = %(banaction_allports)s
+          logpath = /var/log/vaultwarden.log
+          maxretry = 3
+          bantime = 14400
+          findtime = 14400
+        '';
+      })
+    ];
+
+    bantime-increment = {
+      enable = true;
+      rndtime = "12m";
+      overalljails = true;
+      multipliers = "4 8 16 32 64 128 256 512 1024 2048";
+      maxtime = "192h";
+    };
+  };
+}