machines/mermet/fail2ban.nix

   1 { pkgs, lib, config, machines, ... }:
   2 {
   3 services.sshd.logLevel = "VERBOSE";
   4 systemd.services.nftables.postStart = ''
   5   systemctl restart fail2ban
   6 '';
   7 services.fail2ban = {
   8   enable = true;
   9   banaction = "nftables-multiport";
  10   banaction-allports = "nftables-allports";
  11   bantime-increment = {
  12     enable = true;
  13     factor = "1";
  14     formula = "ban.Time * (1 << min(ban.Count, 20)) * banFactor";
  15     maxtime = "1y";
  16     multipliers = "";
  17     overalljails = false;
  18     rndtime = "";
  19   };
  20   packageFirewall = pkgs.nftables;
  21   ignoreIP = [
  22     machines.mermet.extraArgs.ipv4
  23     machines.losurdo.extraArgs.ipv4
  24     "198.252.154.1" # wren.riseup.net
  25   ];
  26   jails = {
  27     DEFAULT = ''
  28     '';
  29     sshd = ''
  30       enabled = true
  31       bantime = 5m
  32       findtime = 1d
  33       maxretry = 1
  34       mode = aggressive
  35     '';
  36     postfix = ''
  37       enabled = true
  38       bantime = 5m
  39       findtime = 1d
  40       mode = aggressive
  41     '';
  42   };
  43 };
  44 environment.etc."fail2ban/action.d/nftables-common.local".text = ''
  45   [Init]
  46   blocktype = drop
  47 '';
  48 }