hosts/mermet/fail2ban.nix

   1 { pkgs, hosts, ... }:
   2 {
   3   services.openssh.settings.LogLevel = "VERBOSE";
   4   /*
   5     systemd.services.nftables.postStart = ''
   6     systemctl reload fail2ban
   7     '';
   8   */
   9   services.fail2ban = {
  10     enable = true;
  11     banaction = "nftables-multiport";
  12     banaction-allports = "nftables-allports";
  13     bantime-increment = {
  14       enable = true;
  15       factor = "1";
  16       formula = "ban.Time * (1 << min(ban.Count, 20)) * banFactor";
  17       maxtime = "1y";
  18       overalljails = false;
  19       rndtime = "";
  20     };
  21     packageFirewall = pkgs.nftables;
  22     ignoreIP = [
  23       hosts.mermet._module.args.ipv4
  24       "losurdo.sourcephile.fr"
  25     ];
  26     jails = {
  27       sshd.settings = {
  28         enabled = true;
  29         bantime = "5m";
  30         findtime = "1d";
  31         maxretry = "1";
  32         mode = "aggressive";
  33       };
  34       postfix.settings = {
  35         enabled = true;
  36         bantime = "5m";
  37         filter = "postfix";
  38         findtime = "1d";
  39         mode = "aggressive";
  40         port = 465;
  41       };
  42       postgresql.settings = {
  43         enabled = true;
  44         bantime = "5m";
  45         filter = "postgresql";
  46         findtime = "1d";
  47         port = 5432;
  48       };
  49     };
  50   };
  51   environment.etc."fail2ban/action.d/nftables-common.local".text = ''
  52     [Init]
  53     blocktype = drop
  54   '';
  55 }