From 525147aa61f84751c96e5785becabcefab8e0ce2 Mon Sep 17 00:00:00 2001
From: ediblerope <fredrik@nordhammer.it>
Date: Sun, 26 Apr 2026 19:26:18 +0100
Subject: [PATCH] =?UTF-8?q?fail2ban:=20remove=20=E2=80=94=20superseded=20b?=
 =?UTF-8?q?y=20CrowdSec?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CrowdSec covers the same surface (sshd, authelia, nginx, *arr apps,
qBit) with the addition of community-sourced threat intel and ntfy
push alerts. Keeping both was redundant. State at /var/lib/fail2ban
will sit unused until cleaned up by hand.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 common.nix            |   1 -
 services/fail2ban.nix | 170 ------------------------------------------
 2 files changed, 171 deletions(-)
 delete mode 100644 services/fail2ban.nix

diff --git a/common.nix b/common.nix
index 52c6470..be889a0 100644
--- a/common.nix
+++ b/common.nix
@@ -28,7 +28,6 @@
     ./services/jellyfin.nix
     ./services/bazarr.nix
     ./services/cloudflare-ddns.nix
-    ./services/fail2ban.nix
     ./services/authelia.nix
     ./services/homepage.nix
     ./services/arr-interconnect.nix
diff --git a/services/fail2ban.nix b/services/fail2ban.nix
deleted file mode 100644
index 77c1434..0000000
--- a/services/fail2ban.nix
+++ /dev/null
@@ -1,170 +0,0 @@
-{ config, lib, pkgs, ... }:
-{
-  config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {
-
-    services.fail2ban = {
-      enable = true;
-
-      # Default ban settings (overridable per jail)
-      maxretry = 5;
-      bantime = "1h";
-
-      # Progressively longer bans for repeat offenders, up to 1 week
-      bantime-increment = {
-        enable = true;
-        multipliers = "1 2 4 8 16 32 64";
-        maxtime = "168h";
-        overalljails = true;
-      };
-
-      # Never ban local network traffic
-      ignoreIP = [
-        "127.0.0.1/8"
-        "::1"
-        "10.0.0.0/8"
-      ];
-
-      jails = {
-
-        # SSH brute force — built-in sshd filter via journald
-        sshd = {
-          settings = {
-            enabled = true;
-            filter = "sshd";
-            maxretry = 5;
-            bantime = "1h";
-          };
-        };
-
-        # Nginx — watches access log for HTTP auth failures
-        nginx = {
-          settings = {
-            enabled = true;
-            filter = "nginx-http-auth";
-            logpath = "/var/log/nginx/access.log";
-            maxretry = 10;
-            bantime = "1h";
-          };
-        };
-
-        # Authelia — failed login attempts via journald
-        authelia = {
-          settings = {
-            enabled = true;
-            backend = "systemd";
-            journalmatch = "_SYSTEMD_UNIT=authelia-main.service";
-            filter = "authelia";
-            maxretry = 5;
-            bantime = "2h";
-          };
-        };
-
-        # Jellyfin auth failures — journald
-        jellyfin = {
-          settings = {
-            enabled = true;
-            backend = "systemd";
-            journalmatch = "_SYSTEMD_UNIT=jellyfin.service";
-            maxretry = 5;
-            bantime = "2h";
-          };
-        };
-
-        # Sonarr — log files at dataDir/logs/
-        sonarr = {
-          settings = {
-            enabled = true;
-            filter = "arr-apps";
-            logpath = "/var/lib/sonarr/logs/*.txt";
-            maxretry = 5;
-            bantime = "1h";
-          };
-        };
-
-        # Radarr — log files at dataDir/logs/
-        radarr = {
-          settings = {
-            enabled = true;
-            filter = "arr-apps";
-            logpath = "/var/lib/radarr/logs/*.txt";
-            maxretry = 5;
-            bantime = "1h";
-          };
-        };
-
-        # Prowlarr — log files at dataDir/logs/
-        prowlarr = {
-          settings = {
-            enabled = true;
-            filter = "arr-apps";
-            logpath = "/var/lib/prowlarr/logs/*.txt";
-            maxretry = 5;
-            bantime = "1h";
-          };
-        };
-
-        # Bazarr — log files at dataDir/log/
-        bazarr = {
-          settings = {
-            enabled = true;
-            filter = "bazarr";
-            logpath = "/var/lib/bazarr/log/*.txt";
-            maxretry = 5;
-            bantime = "1h";
-          };
-        };
-
-        # qBittorrent-nox — watches journald for web UI login failures
-        qbittorrent = {
-          settings = {
-            enabled = true;
-            filter = "qbittorrent";
-            backend = "systemd";
-            journalmatch = "_SYSTEMD_UNIT=qbittorrent-nox.service";
-            maxretry = 5;
-            bantime = "1h";
-          };
-        };
-
-      };
-    };
-
-    # Shared filter for Sonarr, Radarr, Prowlarr — they all use the same *arr codebase
-    environment.etc."fail2ban/filter.d/arr-apps.conf".text = ''
-      [Definition]
-      failregex = .*Auth-Failure ip <HOST>
-      ignoreregex =
-    '';
-
-    # Bazarr (Python/Flask) auth failure filter
-    environment.etc."fail2ban/filter.d/bazarr.conf".text = ''
-      [Definition]
-      failregex = .*login attempt.*<HOST>
-                  .*unauthorized.*<HOST>
-      ignoreregex =
-    '';
-
-    # qBittorrent web UI login failure filter
-    environment.etc."fail2ban/filter.d/qbittorrent.conf".text = ''
-      [Definition]
-      failregex = .*WebAPI login failure.*remote IP: <HOST>
-      ignoreregex =
-    '';
-
-    # Authelia filter
-    environment.etc."fail2ban/filter.d/authelia.conf".text = ''
-      [Definition]
-      failregex = ^.*Unsuccessful .* authentication attempt by user .* from <HOST>.*$
-      ignoreregex =
-    '';
-
-    # Jellyfin filter
-    environment.etc."fail2ban/filter.d/jellyfin.conf".text = ''
-      [Definition]
-      failregex = ^.*Authentication request for .* has been denied \(IP: "<HOST>"\).*$
-                  ^.*Error processing request from remote IP Address <HOST>.*$
-      ignoreregex =
-    '';
-
-  };
-}