rope/nixos
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fail2ban: add jails for Sonarr, Radarr, Prowlarr, Bazarr, qBittorrent

Browse source 
All services with openFirewall = true are now covered. The *arr suite
shares a single filter since they use the same logging codebase.

https://claude.ai/code/session_01PwAXuaoJx7qD5FhVLsn7Sn
This commit is contained in:
Claude 2026-04-06 08:24:18 +00:00
parent 16363dc887
commit 4935d42e48
No known key found for this signature in database
1 changed files with 82 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

87
services/fail2ban.nix
View file

@ -27,7 +27,7 @@
jails = { jails = {
# SSH brute force — uses built-in sshd filter via journald # SSH brute force — built-in sshd filter via journald
sshd = { sshd = {
settings = { settings = {
enabled = true; enabled = true;
@ -37,8 +37,7 @@
}; };
}; };
# Nginx Proxy Manager — watches Docker-mounted log files # Nginx Proxy Manager — watches Docker-mounted log files for 401/403s
# Catches repeated 401/403 responses (auth failures, bad requests)
nginx-proxy-manager = { nginx-proxy-manager = {
settings = { settings = {
enabled = true; enabled = true;
@ -49,7 +48,7 @@
}; };
}; };
# Jellyfin auth failures — uses journald backend # Jellyfin auth failures — journald
jellyfin = { jellyfin = {
settings = { settings = {
enabled = true; enabled = true;
@ -60,10 +59,88 @@
}; };
}; };
# Sonarr — log files at dataDir/logs/
sonarr = {
settings = {
enabled = true;
filter = "arr-apps";
logpath = "/var/lib/sonarr/logs/*.txt";
maxretry = 5;
bantime = "1h";
};
};
# Radarr — log files at dataDir/logs/
radarr = {
settings = {
enabled = true;
filter = "arr-apps";
logpath = "/var/lib/radarr/logs/*.txt";
maxretry = 5;
bantime = "1h";
};
};
# Prowlarr — log files at dataDir/logs/
prowlarr = {
settings = {
enabled = true;
filter = "arr-apps";
logpath = "/var/lib/prowlarr/logs/*.txt";
maxretry = 5;
bantime = "1h";
};
};
# Bazarr — log files at dataDir/log/
bazarr = {
settings = {
enabled = true;
filter = "bazarr";
logpath = "/var/lib/bazarr/log/*.txt";
maxretry = 5;
bantime = "1h";
};
};
# qBittorrent-nox — watches journald for web UI login failures
qbittorrent = {
settings = {
enabled = true;
filter = "qbittorrent";
backend = "systemd";
journalmatch = "_SYSTEMD_UNIT=qbittorrent-nox.service";
maxretry = 5;
bantime = "1h";
};
};
}; };
}; };
# Custom Jellyfin filter — matches failed auth log lines from the journal # Shared filter for Sonarr, Radarr, Prowlarr — they all use the same *arr codebase
environment.etc."fail2ban/filter.d/arr-apps.conf".text = ''
[Definition]
failregex = .*Auth-Failure ip <HOST>
ignoreregex =
'';
# Bazarr (Python/Flask) auth failure filter
environment.etc."fail2ban/filter.d/bazarr.conf".text = ''
[Definition]
failregex = .*login attempt.*<HOST>
.*unauthorized.*<HOST>
ignoreregex =
'';
# qBittorrent web UI login failure filter
environment.etc."fail2ban/filter.d/qbittorrent.conf".text = ''
[Definition]
failregex = .*WebAPI login failure.*remote IP: <HOST>
ignoreregex =
'';
# Jellyfin filter
environment.etc."fail2ban/filter.d/jellyfin.conf".text = '' environment.etc."fail2ban/filter.d/jellyfin.conf".text = ''
[Definition] [Definition]
failregex = ^.*Authentication request for .* has been denied \(IP: "<HOST>"\).*$ failregex = ^.*Authentication request for .* has been denied \(IP: "<HOST>"\).*$