1 { pkgs, lib, config, hosts, ... }:
3 wg-intra = import ../../networking/wireguard/wg-intra.nix;
6 services.openssh.logLevel = "VERBOSE";
7 services.postgresql.logLinePrefix = "%h ";
9 systemd.services.nftables.postStart = '' systemctl reload fail2ban '';
13 banaction = "nftables-multiport";
14 banaction-allports = "nftables-allports";
18 formula = "ban.Time * (1 << min(ban.Count, 20)) * banFactor";
24 packageFirewall = pkgs.nftables;
35 hosts.mermet.extraArgs.ipv4
36 "losurdo.sourcephile.fr"
58 environment.etc."fail2ban/action.d/nftables-common.local".text = ''
62 environment.etc."fail2ban/filter.d/postgresql.local".text = ''
66 _daemon = postgresql-start
68 journalmatch = _SYSTEMD_UNIT=postgresql.service + _COMM=postgres
69 prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID><F-CONTENT>.+</F-CONTENT>$
70 failregex = ^<HOST>\s+FATAL:\s*no pg_hba.conf entry for host.+$
71 ^<HOST>\s+FATAL:\s*no PostgreSQL user name specified in startup packet.+$
72 ^<HOST>\s+FATAL:\s*password authentication failed for user.+$
73 ^<HOST>\s+FATAL:\s*unsupported frontend protocol.+$
75 #ignoreregex = duration: