]> Git — Sourcephile - sourcephile-nix.git/blob - machines/mermet/fail2ban.nix
nix: use nixpkgs/patches/ instead of nixos/modules/
[sourcephile-nix.git] / machines / mermet / fail2ban.nix
1 { pkgs, lib, config, machines, ... }:
2 {
3 services.sshd.logLevel = "VERBOSE";
4 services.fail2ban = {
5 enable = true;
6 banaction = "nftables-multiport";
7 banaction-allports = "nftables-allports";
8 bantime-increment = {
9 enable = true;
10 factor = "1";
11 formula = "ban.Time * (1 << min(ban.Count, 20)) * banFactor";
12 maxtime = "1y";
13 multipliers = "";
14 overalljails = false;
15 rndtime = "";
16 };
17 packageFirewall = pkgs.nftables;
18 ignoreIP = [
19 machines.mermet.extraArgs.ipv4
20 machines.losurdo.extraArgs.ipv4
21 "198.252.154.1" # wren.riseup.net
22 ];
23 jails = {
24 DEFAULT = ''
25 '';
26 sshd = ''
27 enabled = true
28 bantime = 5m
29 findtime = 1d
30 maxretry = 1
31 mode = aggressive
32 '';
33 postfix = ''
34 enabled = true
35 bantime = 5m
36 findtime = 1d
37 mode = aggressive
38 '';
39 };
40 };
41 environment.etc."fail2ban/action.d/nftables-common.local".text = ''
42 [Init]
43 blocktype = drop
44 '';
45 }