From 3c9c38fb032f13d1595a8d132b3f519d6ec29925 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Mon, 6 Jan 2025 00:28:13 +0100 Subject: [PATCH] chore(modules/firewall): Rewrite to simplify Also disable the ai filter for nodes that don't have nginx enabled --- modules/nixos/dgn-firewall/default.nix | 9 ++- modules/nixos/dgn-firewall/streams.nix | 105 ++++++++++++------------- 2 files changed, 55 insertions(+), 59 deletions(-) diff --git a/modules/nixos/dgn-firewall/default.nix b/modules/nixos/dgn-firewall/default.nix index 5a7025f..5e42bed 100644 --- a/modules/nixos/dgn-firewall/default.nix +++ b/modules/nixos/dgn-firewall/default.nix @@ -3,9 +3,9 @@ # SPDX-License-Identifier: EUPL-1.2 { - pkgs, + config, lib, - name, + pkgs, ... }: @@ -13,6 +13,7 @@ let inherit (lib) concatStringsSep length + optionalAttrs replicate splitString ; @@ -85,7 +86,9 @@ in stop = [ (nft "delete table inet reaction") ]; - streams = streams'.default // (streams'.${name} or { }); + streams = { + inherit (streams') ssh; + } // (optionalAttrs config.services.nginx.enable { inherit (streams') ai-crawlers; }); }; }; } diff --git a/modules/nixos/dgn-firewall/streams.nix b/modules/nixos/dgn-firewall/streams.nix index 654582c..ba37e1f 100644 --- a/modules/nixos/dgn-firewall/streams.nix +++ b/modules/nixos/dgn-firewall/streams.nix @@ -23,68 +23,61 @@ let cmd = act "delete"; }; }; +in - available = { - ai-crawlers = { - cmd = [ - "tail" - "-n0" - "-f" - "/var/log/nginx/access.log" +{ + ai-crawlers = { + cmd = [ + "tail" + "-n0" + "-f" + "/var/log/nginx/access.log" + ]; + + filters.bots = { + regex = builtins.map (name: ''^.*"[^"]*${name}[^"]*"$'') [ + "AI2Bot" + "Amazonbot" + "Applebot" + "Applebot-Extended" + "Bytespider" + "CCBot" + "ChatGPT-User" + "ClaudeBot" + "Diffbot" + "DuckAssistBot" + "FacebookBot" + "GPTBot" + "Google-Extended" + "Kangaroo Bot" + "Meta-ExternalAgent" + "Meta-ExternalFetcher" + "OAI-SearchBot" + "PerplexityBot" + "Timpibot" + "Webzio-Extended" + "YouBot" + "omgili" ]; - - filters.bots = { - regex = builtins.map (name: ''^.*"[^"]*${name}[^"]*"$'') [ - "AI2Bot" - "Amazonbot" - "Applebot" - "Applebot-Extended" - "Bytespider" - "CCBot" - "ChatGPT-User" - "ClaudeBot" - "Diffbot" - "DuckAssistBot" - "FacebookBot" - "GPTBot" - "Google-Extended" - "Kangaroo Bot" - "Meta-ExternalAgent" - "Meta-ExternalFetcher" - "OAI-SearchBot" - "PerplexityBot" - "Timpibot" - "Webzio-Extended" - "YouBot" - "omgili" - ]; - actions = ban "720h"; - }; + actions = ban "720h"; }; + }; - ssh = { - cmd = journalctl "sshd"; + ssh = { + cmd = journalctl "sshd"; - filters = { - failedlogin = { - regex = [ - "authentication failure;.*rhost=" - "Connection reset by authenticating user .* " - "Connection closed by invalid user .* port .*" - "Failed password for .* from " - "Invalid user .* from port .*" - "Unable to negotiate with port .*" - ]; - actions = ban "48h"; - }; + filters = { + failedlogin = { + regex = [ + "authentication failure;.*rhost=" + "Connection reset by authenticating user .* " + "Connection closed by invalid user .* port .*" + "Failed password for .* from " + "Invalid user .* from port .*" + "Unable to negotiate with port .*" + ]; + actions = ban "48h"; }; }; }; -in - -builtins.mapAttrs (_: builtins.foldl' (a: s: a // { ${s} = available.${s}; }) { }) { - default = [ - "ai-crawlers" - "ssh" - ]; }