]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/fail2ban.nix
wireguard: clean up a bit
[sourcephile-nix.git] / hosts / mermet / fail2ban.nix
1 { pkgs, lib, config, hosts, ... }:
2 {
3 services.openssh.logLevel = "VERBOSE";
4 /*
5 systemd.services.nftables.postStart = ''
6 systemctl reload fail2ban
7 '';
8 */
9 services.fail2ban = {
10 enable = true;
11 banaction = "nftables-multiport";
12 banaction-allports = "nftables-allports";
13 bantime-increment = {
14 enable = true;
15 factor = "1";
16 formula = "ban.Time * (1 << min(ban.Count, 20)) * banFactor";
17 maxtime = "1y";
18 multipliers = "";
19 overalljails = false;
20 rndtime = "";
21 };
22 packageFirewall = pkgs.nftables;
23 ignoreIP = [
24 hosts.mermet.extraArgs.ipv4
25 hosts.losurdo.extraArgs.wireguard.wg-intra.ipv4
26 "losurdo.sourcephile.fr"
27 "vpn.riseup.net"
28 ];
29 jails = {
30 DEFAULT = ''
31 '';
32 sshd = ''
33 enabled = true
34 bantime = 5m
35 findtime = 1d
36 maxretry = 1
37 mode = aggressive
38 '';
39 postfix = ''
40 enabled = true
41 bantime = 5m
42 findtime = 1d
43 mode = aggressive
44 '';
45 };
46 };
47 environment.etc."fail2ban/action.d/nftables-common.local".text = ''
48 [Init]
49 blocktype = drop
50 '';
51 }