nixos/services/fail2ban.nix

{ config, lib, pkgs, ... }:
{
  config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {

    services.fail2ban = {
      enable = true;

      # Default ban settings (overridable per jail)
      maxretry = 5;
      bantime = "1h";

      # Progressively longer bans for repeat offenders, up to 1 week
      bantime-increment = {
        enable = true;
        multipliers = "1 2 4 8 16 32 64";
        maxtime = "168h";
        overalljails = true;
      };

      # Never ban local network traffic
      ignoreIP = [
        "127.0.0.1/8"
        "::1"
        "10.0.0.0/8"
      ];

      jails = {

        # SSH brute force — built-in sshd filter via journald
        sshd = {
          settings = {
            enabled = true;
            filter = "sshd";
            maxretry = 5;
            bantime = "1h";
          };
        };

        # Nginx — watches access log for HTTP auth failures
        nginx = {
          settings = {
            enabled = true;
            filter = "nginx-http-auth";
            logpath = "/var/log/nginx/access.log";
            maxretry = 10;
            bantime = "1h";
          };
        };

        # Authelia — failed login attempts via journald
        authelia = {
          settings = {
            enabled = true;
            backend = "systemd";
            journalmatch = "_SYSTEMD_UNIT=authelia-main.service";
            filter = "authelia";
            maxretry = 5;
            bantime = "2h";
          };
        };

        # Jellyfin auth failures — journald
        jellyfin = {
          settings = {
            enabled = true;
            backend = "systemd";
            journalmatch = "_SYSTEMD_UNIT=jellyfin.service";
            maxretry = 5;
            bantime = "2h";
          };
        };

        # Sonarr — log files at dataDir/logs/
        sonarr = {
          settings = {
            enabled = true;
            filter = "arr-apps";
            logpath = "/var/lib/sonarr/logs/*.txt";
            maxretry = 5;
            bantime = "1h";
          };
        };

        # Radarr — log files at dataDir/logs/
        radarr = {
          settings = {
            enabled = true;
            filter = "arr-apps";
            logpath = "/var/lib/radarr/logs/*.txt";
            maxretry = 5;
            bantime = "1h";
          };
        };

        # Prowlarr — log files at dataDir/logs/
        prowlarr = {
          settings = {
            enabled = true;
            filter = "arr-apps";
            logpath = "/var/lib/prowlarr/logs/*.txt";
            maxretry = 5;
            bantime = "1h";
          };
        };

        # Bazarr — log files at dataDir/log/
        bazarr = {
          settings = {
            enabled = true;
            filter = "bazarr";
            logpath = "/var/lib/bazarr/log/*.txt";
            maxretry = 5;
            bantime = "1h";
          };
        };

        # qBittorrent-nox — watches journald for web UI login failures
        qbittorrent = {
          settings = {
            enabled = true;
            filter = "qbittorrent";
            backend = "systemd";
            journalmatch = "_SYSTEMD_UNIT=qbittorrent-nox.service";
            maxretry = 5;
            bantime = "1h";
          };
        };

      };
    };

    # Shared filter for Sonarr, Radarr, Prowlarr — they all use the same *arr codebase
    environment.etc."fail2ban/filter.d/arr-apps.conf".text = ''
      [Definition]
      failregex = .*Auth-Failure ip <HOST>
      ignoreregex =
    '';

    # Bazarr (Python/Flask) auth failure filter
    environment.etc."fail2ban/filter.d/bazarr.conf".text = ''
      [Definition]
      failregex = .*login attempt.*<HOST>
                  .*unauthorized.*<HOST>
      ignoreregex =
    '';

    # qBittorrent web UI login failure filter
    environment.etc."fail2ban/filter.d/qbittorrent.conf".text = ''
      [Definition]
      failregex = .*WebAPI login failure.*remote IP: <HOST>
      ignoreregex =
    '';

    # Authelia filter
    environment.etc."fail2ban/filter.d/authelia.conf".text = ''
      [Definition]
      failregex = ^.*Unsuccessful .* authentication attempt by user .* from <HOST>.*$
      ignoreregex =
    '';

    # Jellyfin filter
    environment.etc."fail2ban/filter.d/jellyfin.conf".text = ''
      [Definition]
      failregex = ^.*Authentication request for .* has been denied \(IP: "<HOST>"\).*$
                  ^.*Error processing request from remote IP Address <HOST>.*$
      ignoreregex =
    '';

  };
}
fail2ban: add jails for SSH, nginx proxy manager, and Jellyfin Replaces bare enable flag with a dedicated service module covering: - SSH brute force via journald - Nginx Proxy Manager auth failures via Docker log files - Jellyfin auth failures via journald Includes incremental ban times (up to 1 week) and LAN ignore rules. https://claude.ai/code/session_01PwAXuaoJx7qD5FhVLsn7Sn 2026-04-06 08:21:23 +00:00			`{ config, lib, pkgs, ... }:`
			`{`
			`config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {`

			`services.fail2ban = {`
			`enable = true;`

			`# Default ban settings (overridable per jail)`
			`maxretry = 5;`
			`bantime = "1h";`

			`# Progressively longer bans for repeat offenders, up to 1 week`
			`bantime-increment = {`
			`enable = true;`
fail2ban: fix bantime-increment option name (multipliers not multiplier) https://claude.ai/code/session_01PwAXuaoJx7qD5FhVLsn7Sn 2026-04-06 08:35:15 +00:00			`multipliers = "1 2 4 8 16 32 64";`
fail2ban: add jails for SSH, nginx proxy manager, and Jellyfin Replaces bare enable flag with a dedicated service module covering: - SSH brute force via journald - Nginx Proxy Manager auth failures via Docker log files - Jellyfin auth failures via journald Includes incremental ban times (up to 1 week) and LAN ignore rules. https://claude.ai/code/session_01PwAXuaoJx7qD5FhVLsn7Sn 2026-04-06 08:21:23 +00:00			`maxtime = "168h";`
			`overalljails = true;`
			`};`

			`# Never ban local network traffic`
			`ignoreIP = [`
			`"127.0.0.1/8"`
			`"::1"`
			`"10.0.0.0/8"`
			`];`

			`jails = {`

fail2ban: add jails for Sonarr, Radarr, Prowlarr, Bazarr, qBittorrent All services with openFirewall = true are now covered. The *arr suite shares a single filter since they use the same logging codebase. https://claude.ai/code/session_01PwAXuaoJx7qD5FhVLsn7Sn 2026-04-06 08:24:18 +00:00			`# SSH brute force — built-in sshd filter via journald`
fail2ban: add jails for SSH, nginx proxy manager, and Jellyfin Replaces bare enable flag with a dedicated service module covering: - SSH brute force via journald - Nginx Proxy Manager auth failures via Docker log files - Jellyfin auth failures via journald Includes incremental ban times (up to 1 week) and LAN ignore rules. https://claude.ai/code/session_01PwAXuaoJx7qD5FhVLsn7Sn 2026-04-06 08:21:23 +00:00			`sshd = {`
			`settings = {`
			`enabled = true;`
			`filter = "sshd";`
			`maxretry = 5;`
			`bantime = "1h";`
			`};`
			`};`

Replace Docker containers with native NixOS modules for nginx, Authelia, and go2rtc - Native nginx with ACME wildcard cert (*.nordhammer.it) via Cloudflare DNS-01 - Native Authelia SSO with forward auth protecting homepage + camera - Native go2rtc camera streaming (no more Docker) - Auto-migration script for Authelia secrets and user database from Docker - Homepage hrefs updated to use HTTPS domain names - Fail2ban updated for native nginx log paths + new Authelia jail Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-07 15:47:56 +01:00			`# Nginx — watches access log for HTTP auth failures`
			`nginx = {`
fail2ban: add jails for SSH, nginx proxy manager, and Jellyfin Replaces bare enable flag with a dedicated service module covering: - SSH brute force via journald - Nginx Proxy Manager auth failures via Docker log files - Jellyfin auth failures via journald Includes incremental ban times (up to 1 week) and LAN ignore rules. https://claude.ai/code/session_01PwAXuaoJx7qD5FhVLsn7Sn 2026-04-06 08:21:23 +00:00			`settings = {`
			`enabled = true;`
			`filter = "nginx-http-auth";`
Replace Docker containers with native NixOS modules for nginx, Authelia, and go2rtc - Native nginx with ACME wildcard cert (*.nordhammer.it) via Cloudflare DNS-01 - Native Authelia SSO with forward auth protecting homepage + camera - Native go2rtc camera streaming (no more Docker) - Auto-migration script for Authelia secrets and user database from Docker - Homepage hrefs updated to use HTTPS domain names - Fail2ban updated for native nginx log paths + new Authelia jail Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-07 15:47:56 +01:00			`logpath = "/var/log/nginx/access.log";`
fail2ban: add jails for SSH, nginx proxy manager, and Jellyfin Replaces bare enable flag with a dedicated service module covering: - SSH brute force via journald - Nginx Proxy Manager auth failures via Docker log files - Jellyfin auth failures via journald Includes incremental ban times (up to 1 week) and LAN ignore rules. https://claude.ai/code/session_01PwAXuaoJx7qD5FhVLsn7Sn 2026-04-06 08:21:23 +00:00			`maxretry = 10;`
			`bantime = "1h";`
			`};`
			`};`

Replace Docker containers with native NixOS modules for nginx, Authelia, and go2rtc - Native nginx with ACME wildcard cert (*.nordhammer.it) via Cloudflare DNS-01 - Native Authelia SSO with forward auth protecting homepage + camera - Native go2rtc camera streaming (no more Docker) - Auto-migration script for Authelia secrets and user database from Docker - Homepage hrefs updated to use HTTPS domain names - Fail2ban updated for native nginx log paths + new Authelia jail Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-07 15:47:56 +01:00			`# Authelia — failed login attempts via journald`
			`authelia = {`
			`settings = {`
			`enabled = true;`
			`backend = "systemd";`
			`journalmatch = "_SYSTEMD_UNIT=authelia-main.service";`
			`filter = "authelia";`
			`maxretry = 5;`
			`bantime = "2h";`
			`};`
			`};`

fail2ban: add jails for Sonarr, Radarr, Prowlarr, Bazarr, qBittorrent All services with openFirewall = true are now covered. The *arr suite shares a single filter since they use the same logging codebase. https://claude.ai/code/session_01PwAXuaoJx7qD5FhVLsn7Sn 2026-04-06 08:24:18 +00:00			`# Jellyfin auth failures — journald`
fail2ban: add jails for SSH, nginx proxy manager, and Jellyfin Replaces bare enable flag with a dedicated service module covering: - SSH brute force via journald - Nginx Proxy Manager auth failures via Docker log files - Jellyfin auth failures via journald Includes incremental ban times (up to 1 week) and LAN ignore rules. https://claude.ai/code/session_01PwAXuaoJx7qD5FhVLsn7Sn 2026-04-06 08:21:23 +00:00			`jellyfin = {`
			`settings = {`
			`enabled = true;`
			`backend = "systemd";`
			`journalmatch = "_SYSTEMD_UNIT=jellyfin.service";`
			`maxretry = 5;`
			`bantime = "2h";`
			`};`
			`};`

fail2ban: add jails for Sonarr, Radarr, Prowlarr, Bazarr, qBittorrent All services with openFirewall = true are now covered. The *arr suite shares a single filter since they use the same logging codebase. https://claude.ai/code/session_01PwAXuaoJx7qD5FhVLsn7Sn 2026-04-06 08:24:18 +00:00			`# Sonarr — log files at dataDir/logs/`
			`sonarr = {`
			`settings = {`
			`enabled = true;`
			`filter = "arr-apps";`
			`logpath = "/var/lib/sonarr/logs/*.txt";`
			`maxretry = 5;`
			`bantime = "1h";`
			`};`
			`};`

			`# Radarr — log files at dataDir/logs/`
			`radarr = {`
			`settings = {`
			`enabled = true;`
			`filter = "arr-apps";`
			`logpath = "/var/lib/radarr/logs/*.txt";`
			`maxretry = 5;`
			`bantime = "1h";`
			`};`
			`};`

			`# Prowlarr — log files at dataDir/logs/`
			`prowlarr = {`
			`settings = {`
			`enabled = true;`
			`filter = "arr-apps";`
			`logpath = "/var/lib/prowlarr/logs/*.txt";`
			`maxretry = 5;`
			`bantime = "1h";`
			`};`
			`};`

			`# Bazarr — log files at dataDir/log/`
			`bazarr = {`
			`settings = {`
			`enabled = true;`
			`filter = "bazarr";`
			`logpath = "/var/lib/bazarr/log/*.txt";`
			`maxretry = 5;`
			`bantime = "1h";`
			`};`
			`};`

			`# qBittorrent-nox — watches journald for web UI login failures`
			`qbittorrent = {`
			`settings = {`
			`enabled = true;`
			`filter = "qbittorrent";`
			`backend = "systemd";`
			`journalmatch = "_SYSTEMD_UNIT=qbittorrent-nox.service";`
			`maxretry = 5;`
			`bantime = "1h";`
			`};`
			`};`

fail2ban: add jails for SSH, nginx proxy manager, and Jellyfin Replaces bare enable flag with a dedicated service module covering: - SSH brute force via journald - Nginx Proxy Manager auth failures via Docker log files - Jellyfin auth failures via journald Includes incremental ban times (up to 1 week) and LAN ignore rules. https://claude.ai/code/session_01PwAXuaoJx7qD5FhVLsn7Sn 2026-04-06 08:21:23 +00:00			`};`
			`};`

fail2ban: add jails for Sonarr, Radarr, Prowlarr, Bazarr, qBittorrent All services with openFirewall = true are now covered. The *arr suite shares a single filter since they use the same logging codebase. https://claude.ai/code/session_01PwAXuaoJx7qD5FhVLsn7Sn 2026-04-06 08:24:18 +00:00			`# Shared filter for Sonarr, Radarr, Prowlarr — they all use the same *arr codebase`
			`environment.etc."fail2ban/filter.d/arr-apps.conf".text = ''`
			`[Definition]`
			`failregex = .*Auth-Failure ip <HOST>`
			`ignoreregex =`
			`'';`

			`# Bazarr (Python/Flask) auth failure filter`
			`environment.etc."fail2ban/filter.d/bazarr.conf".text = ''`
			`[Definition]`
			`failregex = .login attempt.<HOST>`
			`.unauthorized.<HOST>`
			`ignoreregex =`
			`'';`

			`# qBittorrent web UI login failure filter`
			`environment.etc."fail2ban/filter.d/qbittorrent.conf".text = ''`
			`[Definition]`
			`failregex = .WebAPI login failure.remote IP: <HOST>`
			`ignoreregex =`
			`'';`

Replace Docker containers with native NixOS modules for nginx, Authelia, and go2rtc - Native nginx with ACME wildcard cert (*.nordhammer.it) via Cloudflare DNS-01 - Native Authelia SSO with forward auth protecting homepage + camera - Native go2rtc camera streaming (no more Docker) - Auto-migration script for Authelia secrets and user database from Docker - Homepage hrefs updated to use HTTPS domain names - Fail2ban updated for native nginx log paths + new Authelia jail Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-07 15:47:56 +01:00			`# Authelia filter`
			`environment.etc."fail2ban/filter.d/authelia.conf".text = ''`
			`[Definition]`
			`failregex = ^.Unsuccessful . authentication attempt by user .* from <HOST>.*$`
			`ignoreregex =`
			`'';`

fail2ban: add jails for Sonarr, Radarr, Prowlarr, Bazarr, qBittorrent All services with openFirewall = true are now covered. The *arr suite shares a single filter since they use the same logging codebase. https://claude.ai/code/session_01PwAXuaoJx7qD5FhVLsn7Sn 2026-04-06 08:24:18 +00:00			`# Jellyfin filter`
fail2ban: add jails for SSH, nginx proxy manager, and Jellyfin Replaces bare enable flag with a dedicated service module covering: - SSH brute force via journald - Nginx Proxy Manager auth failures via Docker log files - Jellyfin auth failures via journald Includes incremental ban times (up to 1 week) and LAN ignore rules. https://claude.ai/code/session_01PwAXuaoJx7qD5FhVLsn7Sn 2026-04-06 08:21:23 +00:00			`environment.etc."fail2ban/filter.d/jellyfin.conf".text = ''`
			`[Definition]`
			`failregex = ^.Authentication request for . has been denied \(IP: "<HOST>"\).*$`
			`^.Error processing request from remote IP Address <HOST>.$`
			`ignoreregex =`
			`'';`

			`};`
			`}`