From 79138d965d750c2f921d761c469c54b210992cb6 Mon Sep 17 00:00:00 2001
From: Filippo Berto <berto.f@protonmail.com>
Date: Thu, 16 Oct 2025 15:19:35 +0200
Subject: [PATCH] update(baldur): better fail2ban filters

---
 instances/baldur/configuration.nix | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/instances/baldur/configuration.nix b/instances/baldur/configuration.nix
index 866a21a..6b4c8f0 100644
--- a/instances/baldur/configuration.nix
+++ b/instances/baldur/configuration.nix
@@ -51,6 +51,14 @@
       enable = true;
       bantime-increment.enable = true;
       jails = {
+        "nginx-bad-request" = {
+          settings = {
+            filter = "nginx-bad-request";
+            action = ''nftables-multiport[name=HTTP, port="http,https"]'';
+            logpath = "/var/log/nginx/error.log*";
+            backend = "auto";
+          };
+        };
         "nginx-botsearch" = {
           settings = {
             filter = "nginx-botsearch";
@@ -59,6 +67,14 @@
             backend = "auto";
           };
         };
+        "nginx-forbidden" = {
+          settings = {
+            filter = "nginx-forbidden";
+            action = ''nftables-multiport[name=HTTP, port="http,https"]'';
+            logpath = "/var/log/nginx/error.log*";
+            backend = "auto";
+          };
+        };
         "nginx-http-auth" = {
           settings = {
             filter = "nginx-http-auth";
@@ -67,6 +83,14 @@
             backend = "auto";
           };
         };
+        "nginx-limit-req" = {
+          settings = {
+            filter = "nginx-limit-req";
+            action = ''nftables-multiport[name=HTTP, port="http,https"]'';
+            logpath = "/var/log/nginx/error.log*";
+            backend = "auto";
+          };
+        };
       };
     };
     nginx = {