Skip to content

Instantly share code, notes, and snippets.

Created July 31, 2017 03:10
Show Gist options
  • Save anonymous/b2114ca20b155405501120379125dc7a to your computer and use it in GitHub Desktop.
Save anonymous/b2114ca20b155405501120379125dc7a to your computer and use it in GitHub Desktop.
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).
{ config, lib, pkgs, fetchFromGitHub, ... }:
let
log = "/var/log/named/named.log";
in
{
#environment.etc."fail2ban/filter.d/bind.conf".source = pkgs.writeText "bind" ''
# [Definition]
# failregex = .*client @0x[0-9a-f]+ <HOST>#4444 \(cpsc\.gov\): query \(cache\).*
#'';
#environment.etc."fail2ban/action.d/blackhole.conf".source = pkgs.writeText "blackhole" ''
# [Definition]
# actionban = ip route add blackhole <ip>
# actionunban = ip route del blackhole <ip>
#'';
systemd.timers.block = {
partOf = [ "block.service" ];
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "*:0/10:0"; # Every 10 minutes
};
systemd.services.block = {
enable = true;
path = with pkgs; [ iproute gawk ];
script = ''
ips=$(cat ${log} | awk '/cpsc\.gov/{sub("#.*", "", $5); print $5; }' | sort -u)
for ip in $ips; do
ip route add blackhole $ip
echo $ip >> /var/dns/blocked
done
echo "" > ${log}
'';
};
services.fail2ban = {
enable = true;
# jails.bind = ''
# filter = bind
# action = blackhole
# enabled = false
# logpath = /var/log/named.log
# bantime = 3600
# findtime = 60
# maxretry = 5
# '';
};
services.bind = {
enable = true;
cacheNetworks = [
"127.0.0.0/24"
"178.197.128.0/17"
];
extraConfig = ''
logging {
channel security_file {
file "${log}" versions 3 size 30m;
severity dynamic;
print-time yes;
};
category security {
security_file;
};
};
'';
zones = [
{
file = "/var/dns/infinisil.io";
master = true;
name = "infinisil.io";
}
];
};
networking.firewall.allowedTCPPorts = [ 53 ];
networking.firewall.allowedUDPPorts = [ 53 ];
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment