1 { pkgs, lib, config, machines, ... }:
3 services.sshd.logLevel = "VERBOSE";
4 services.postgresql.extraConfig = "log_line_prefix = '%h '";
7 banaction = "nftables-multiport";
8 banaction-allports = "nftables-allports";
12 formula = "ban.Time * (1 << min(ban.Count, 20)) * banFactor";
18 packageFirewall = pkgs.nftables;
20 machines.mermet.extraArgs.ipv4
21 machines.losurdo.extraArgs.ipv4
22 "198.252.154.1" # wren.riseup.net
23 "86.239.114.224" # openconcerto user
44 environment.etc."fail2ban/action.d/nftables-common.local".text = ''
48 environment.etc."fail2ban/filter.d/postgresql.local".text = ''
52 _daemon = postgresql-start
54 journalmatch = _SYSTEMD_UNIT=postgresql.service + _COMM=postgres
55 prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID><F-CONTENT>.+</F-CONTENT>$
56 failregex = ^<HOST>\s+FATAL:\s*no pg_hba.conf entry for host.+$
57 ^<HOST>\s+FATAL:\s*no PostgreSQL user name specified in startup packet.+$
58 ^<HOST>\s+FATAL:\s*password authentication failed for user.+$
59 ^<HOST>\s+FATAL:\s*unsupported frontend protocol.+$
61 #ignoreregex = duration: