hosts/mermet/fail2ban.nix

   1 { pkgs, lib, config, hosts, ... }:
   2 {
   3 services.openssh.logLevel = "VERBOSE";
   4 /*
   5 systemd.services.nftables.postStart = ''
   6   systemctl reload fail2ban
   7 '';
   8 */
   9 services.fail2ban = {
  10   enable = true;
  11   banaction = "nftables-multiport";
  12   banaction-allports = "nftables-allports";
  13   bantime-increment = {
  14     enable = true;
  15     factor = "1";
  16     formula = "ban.Time * (1 << min(ban.Count, 20)) * banFactor";
  17     maxtime = "1y";
  18     multipliers = "";
  19     overalljails = false;
  20     rndtime = "";
  21   };
  22   packageFirewall = pkgs.nftables;
  23   ignoreIP = [
  24     hosts.mermet._module.args.ipv4
  25     "losurdo.sourcephile.fr"
  26   ];
  27   jails = {
  28     DEFAULT = ''
  29     '';
  30     sshd = ''
  31       enabled = true
  32       bantime = 5m
  33       findtime = 1d
  34       maxretry = 1
  35       mode = aggressive
  36     '';
  37     postfix = ''
  38       enabled = true
  39       bantime = 5m
  40       findtime = 1d
  41       mode = aggressive
  42     '';
  43   };
  44 };
  45 environment.etc."fail2ban/action.d/nftables-common.local".text = ''
  46   [Init]
  47   blocktype = drop
  48 '';
  49 }