net/fail2ban: initial commit

author: Alejandro Soto <alejandro@34project.org> 2024-07-20 22:35:52 -0600
committer: Alejandro Soto <alejandro@34project.org> 2024-07-21 00:19:10 -0600
commit: b1f3d839adc88b024e3a79d09b54a1939b78edba (patch)
tree: 2287680392dd32e6bda4c7e2664dc607727d79c7 /sys/home-assistant/default.nix
parent: c88f8c51c90c1e48c75047849a42ae0ed6c4aa15 (diff)
1 files changed, 39 insertions, 23 deletions
diff --git a/sys/home-assistant/default.nix b/sys/home-assistant/default.nix
index 8031d43..631ba27 100644
--- a/sys/home-assistant/default.nix
+++ b/sys/home-assistant/default.nix
@@ -8,35 +8,51 @@ in
   };
 
   config = mkIf cfg.enable {
+    # https://nathan.gs/2024/06/22/fail2ban-to-secure-ha-on-nixos/
+    environment.etc."fail2ban/filter.d/home-assistant.local".text = ''
+      [Definition]
+      failregex = ^.* \[homeassistant\.components\.http\.ban\] Login attempt or request with invalid authentication from <HOST>.*$
+      
+      ignoreregex =
+      
+      journalmatch = _SYSTEMD_UNIT=home-assistant.service + _COMM=home-assistant
+      
+      datepattern = {^LN-BEG}
+    '';
+
     local.boot.impermanence.directories = [
       { directory = "/var/lib/hass"; user = "hass"; group = "hass"; mode = "u=rwx,g=,o="; }
     ];
 
-    services.home-assistant = {
-      enable = true;
-
-      extraComponents = [
-        "met"
-        "google_translate"
-        "radio_browser"
-        "tuya"
-        "xiaomi_miio"
-      ];
-
-      config = {
-        # Includes dependencies for a basic setup
-        # https://www.home-assistant.io/integrations/default_config/
-        default_config = { };
-      };
+    services = {
+      fail2ban.jails.home-assistant = { };
+
+      home-assistant = {
+        enable = true;
 
-      customComponents = with pkgs.home-assistant-custom-components; [
-        dreame_vacuum
-        xiaomi_miot
-      ];
+        extraComponents = [
+          "met"
+          "google_translate"
+          "radio_browser"
+          "tuya"
+          "xiaomi_miio"
+        ];
 
-      customLovelaceModules = with pkgs.home-assistant-custom-lovelace-modules; [
-        xiaomi-vacuum-map-card
-      ];
+        config = {
+          # Includes dependencies for a basic setup
+          # https://www.home-assistant.io/integrations/default_config/
+          default_config = { };
+        };
+
+        customComponents = with pkgs.home-assistant-custom-components; [
+          dreame_vacuum
+          xiaomi_miot
+        ];
+
+        customLovelaceModules = with pkgs.home-assistant-custom-lovelace-modules; [
+          xiaomi-vacuum-map-card
+        ];
+      };
     };
   };
 }
author	Alejandro Soto <alejandro@34project.org>	2024-07-20 22:35:52 -0600
committer	Alejandro Soto <alejandro@34project.org>	2024-07-21 00:19:10 -0600
commit	b1f3d839adc88b024e3a79d09b54a1939b78edba (patch)
tree	2287680392dd32e6bda4c7e2664dc607727d79c7 /sys/home-assistant/default.nix
parent	c88f8c51c90c1e48c75047849a42ae0ed6c4aa15 (diff)