]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/fail2ban.nix
sourcehut: oauth-client-{id,secret} aren't optional
[sourcephile-nix.git] / hosts / losurdo / fail2ban.nix
1 { pkgs, lib, config, hosts, ... }:
2 let
3 wg-intra = import ../../networking/wireguard/wg-intra.nix;
4 in
5 {
6 services.openssh.logLevel = "VERBOSE";
7 services.postgresql.logLinePrefix = "%h ";
8 /*
9 systemd.services.nftables.postStart = '' systemctl reload fail2ban '';
10 */
11 services.fail2ban = {
12 enable = true;
13 banaction = "nftables-multiport";
14 banaction-allports = "nftables-allports";
15 bantime-increment = {
16 enable = true;
17 factor = "1";
18 formula = "ban.Time * (1 << min(ban.Count, 20)) * banFactor";
19 maxtime = "1y";
20 multipliers = "";
21 overalljails = false;
22 rndtime = "";
23 };
24 packageFirewall = pkgs.nftables;
25 ignoreIP = [
26 #"0.0.0.0/8"
27 #"10.0.0.0/8"
28 "127.0.0.0/8"
29 #"169.254.0.0/16"
30 #"172.16.0.0/12"
31 #"192.0.2.0/24"
32 "192.168.0.0/16"
33 #"224.0.0.0/3"
34 #"240.0.0.0/5"
35 hosts.mermet.extraArgs.ipv4
36 "losurdo.sourcephile.fr"
37 "vpn.riseup.net"
38 ];
39 jails = {
40 DEFAULT = ''
41 '';
42 sshd = ''
43 enabled = true
44 bantime = 5m
45 findtime = 1d
46 maxretry = 1
47 mode = aggressive
48 '';
49 postgresql = ''
50 enabled = true
51 bantime = 1m
52 filter = postgresql
53 findtime = 1d
54 port = 5432
55 '';
56 };
57 };
58 environment.etc."fail2ban/action.d/nftables-common.local".text = ''
59 [Init]
60 blocktype = drop
61 '';
62 environment.etc."fail2ban/filter.d/postgresql.local".text = ''
63 [INCLUDES]
64 before = common.conf
65 [DEFAULT]
66 _daemon = postgresql-start
67 [Definition]
68 journalmatch = _SYSTEMD_UNIT=postgresql.service + _COMM=postgres
69 prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID><F-CONTENT>.+</F-CONTENT>$
70 failregex = ^<HOST>\s+FATAL:\s*no pg_hba.conf entry for host.+$
71 ^<HOST>\s+FATAL:\s*no PostgreSQL user name specified in startup packet.+$
72 ^<HOST>\s+FATAL:\s*password authentication failed for user.+$
73 ^<HOST>\s+FATAL:\s*unsupported frontend protocol.+$
74 maxlines = 1
75 #ignoreregex = duration:
76 '';
77 }