From a68fc5cb0de2adbcabf81649436d902eadc052ca Mon Sep 17 00:00:00 2001
From: Devin Finlinson <devin.finlinson@pm.me>
Date: Fri, 21 Nov 2025 22:35:08 -0700
Subject: two changes: first, set up rsyslog and fail2ban to block router spam
 (not yet working as fail2ban can't access ssh keys without permissions)
 second, set up a port forward to doretta for minecraft servers (seems to work
 first try)

---
 machines/biski/default.nix | 91 +++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 89 insertions(+), 2 deletions(-)

diff --git a/machines/biski/default.nix b/machines/biski/default.nix
index 1255911..b05d289 100644
--- a/machines/biski/default.nix
+++ b/machines/biski/default.nix
@@ -34,6 +34,71 @@
   };
   security.pam.sshAgentAuth.enable = true;
 
+  services.rsyslogd = {
+    enable = true;
+    extraConfig = ''
+      $ModLoad imudp
+      $UDPServerRun 10514
+      *.* /var/log/rsyslog-remote.log
+    '';
+  };
+
+  environment.etc = {
+    "fail2ban/action.d/routeros.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
+      [Init]
+
+      # SSH credentials to use to log into the router
+      user = FCWadmin
+      port = 2200
+      pubkey = /etc/fail2ban/.id_routeros
+
+      # SSH connection command
+      ssh = /run/current-system/sw/bin/ssh
+      cmd = <ssh> -i <pubkey> -p <port> <user>@64.77.244.138
+
+      # What to do on ban.
+      action = tarpit
+      chain = fail2ban
+
+      # Command-shortening aliases
+      iff = /ip/firewall/filter
+      what = src-address="<ip>" chain="<chain>"
+      addwhat = <what> dst-port="<port>" proto="tcp" action="<action>"
+
+      [Definition]
+
+      actionban = <cmd> '<iff> add <addwhat> place-before=0'
+      actionunban = <cmd> '<iff> remove numbers=[find <what>]'
+    '');
+  
+    # Defines a filter for Mikrotik login failures by reading rsyslog
+    "fail2ban/filter.d/routeros-rsyslog-sshd.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
+      [Definition]
+      _router     = (<F-ROUTER>[a-zA-Z0-9.-]+</F-ROUTER>)
+      failregex   = ^\s?<_router> .* login failure for user .* from <HOST> via ssh
+    '');
+  };
+  services.fail2ban = {
+    enable = true;
+    ignoreIP = [
+      # Whitelist some subnets
+      "205.192.218.182/29"
+      "10.0.0.0/8"
+    ];
+    jails = {
+      routeros-rsyslog-sshd.settings = {
+        enabled = true;
+        filter = "routeros-rsyslog-sshd";
+        action = "routeros";
+        logpath = "/var/log/rsyslog-remote.log";
+        backend = "polling";
+        ignoreself = true;
+        maxretry = 3;
+        findtime = 600;
+      };
+    };
+  };
+
   # Set your time zone.
   time.timeZone = "US/Mountain";
 
@@ -65,8 +130,30 @@
   };
 
   # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
+  networking.firewall.allowedTCPPorts = [ 25565 ];
+  networking.firewall.allowedUDPPorts = [ 10514 ];
+  networking.nftables = {
+    enable = true;
+    ruleset = ''
+      table ip nat {
+        chain PREROUTING {
+          type nat hook prerouting priority dstnat; policy accept;
+          iifname "eno1" tcp dport 25565 dnat to 100.64.0.2:25565
+        }
+      }
+    '';
+  };
+  networking.nat = {
+    enable = true;
+    internalInterfaces = [ "eno1" ];
+    externalInterface = "tailscale0";
+    forwardPorts = [{
+      sourcePort = 25565;
+      proto = "tcp";
+      destination = "100.64.0.2:25565";
+    }];
+  };
+  
   # Or disable the firewall altogether.
   # networking.firewall.enable = false;
 
-- 
cgit v1.2.3