]> Git — Sourcephile - sourcephile-nix.git/blob - machines/losurdo/fail2ban.nix
apparmor: update to upstream nixpkgs#101071
[sourcephile-nix.git] / machines / losurdo / fail2ban.nix
1 { pkgs, lib, config, machines, ... }:
2 {
3 services.openssh.logLevel = "VERBOSE";
4 services.postgresql.settings.log_line_prefix = "%h ";
5 /*
6 systemd.services.nftables.postStart = '' systemctl reload fail2ban '';
7 */
8 services.fail2ban = {
9 enable = true;
10 banaction = "nftables-multiport";
11 banaction-allports = "nftables-allports";
12 bantime-increment = {
13 enable = true;
14 factor = "1";
15 formula = "ban.Time * (1 << min(ban.Count, 20)) * banFactor";
16 maxtime = "1y";
17 multipliers = "";
18 overalljails = false;
19 rndtime = "";
20 };
21 packageFirewall = pkgs.nftables;
22 ignoreIP = [
23 #"0.0.0.0/8"
24 #"10.0.0.0/8"
25 "127.0.0.0/8"
26 #"169.254.0.0/16"
27 #"172.16.0.0/12"
28 #"192.0.2.0/24"
29 "192.168.0.0/16"
30 #"224.0.0.0/3"
31 #"240.0.0.0/5"
32 machines.mermet.extraArgs.ipv4
33 machines.mermet.extraArgs.wireguard.wg-intra.ipv4
34 "losurdo.sourcephile.fr"
35 "vpn.riseup.net"
36 ];
37 jails = {
38 DEFAULT = ''
39 '';
40 sshd = ''
41 enabled = true
42 bantime = 5m
43 findtime = 1d
44 maxretry = 1
45 mode = aggressive
46 '';
47 postgresql = ''
48 enabled = true
49 bantime = 1m
50 filter = postgresql
51 findtime = 1d
52 port = 5432
53 '';
54 };
55 };
56 environment.etc."fail2ban/action.d/nftables-common.local".text = ''
57 [Init]
58 blocktype = drop
59 '';
60 environment.etc."fail2ban/filter.d/postgresql.local".text = ''
61 [INCLUDES]
62 before = common.conf
63 [DEFAULT]
64 _daemon = postgresql-start
65 [Definition]
66 journalmatch = _SYSTEMD_UNIT=postgresql.service + _COMM=postgres
67 prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID><F-CONTENT>.+</F-CONTENT>$
68 failregex = ^<HOST>\s+FATAL:\s*no pg_hba.conf entry for host.+$
69 ^<HOST>\s+FATAL:\s*no PostgreSQL user name specified in startup packet.+$
70 ^<HOST>\s+FATAL:\s*password authentication failed for user.+$
71 ^<HOST>\s+FATAL:\s*unsupported frontend protocol.+$
72 maxlines = 1
73 #ignoreregex = duration:
74 '';
75 }