]> Git — Sourcephile - sourcephile-nix.git/blob - nixos/profiles/services/fail2ban.nix
losurdo: docker: enable service
[sourcephile-nix.git] / nixos / profiles / services / fail2ban.nix
1 { pkgs, lib, ... }:
2 {
3 services.fail2ban = {
4 banaction = lib.mkDefault "nftables-multiport";
5 banaction-allports = lib.mkDefault "nftables-allports";
6 packageFirewall = lib.mkDefault pkgs.nftables;
7 bantime-increment = {
8 enable = true;
9 factor = "1";
10 formula = "ban.Time * (1 << min(ban.Count, 20)) * banFactor";
11 overalljails = false;
12 rndtime = "";
13 };
14 };
15 /*
16 systemd.services.nftables.postStart = '' systemctl reload fail2ban '';
17 */
18 services.openssh.settings.LogLevel = "VERBOSE";
19 services.postgresql.settings.log_line_prefix = "%h ";
20 environment.etc."fail2ban/action.d/nftables-common.local".text = ''
21 [Init]
22 blocktype = drop
23 '';
24 environment.etc."fail2ban/filter.d/postgresql.local".text = ''
25 [INCLUDES]
26 before = common.conf
27 [DEFAULT]
28 _daemon = postgresql-start
29 [Definition]
30 journalmatch = _SYSTEMD_UNIT=postgresql.service + _COMM=postgres
31 prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID><F-CONTENT>.+</F-CONTENT>$
32 failregex = ^<HOST>\s+FATAL:\s*no pg_hba.conf entry for host.+$
33 ^<HOST>\s+FATAL:\s*no PostgreSQL user name specified in startup packet.+$
34 ^<HOST>\s+FATAL:\s*password authentication failed for user.+$
35 ^<HOST>\s+FATAL:\s*unsupported frontend protocol.+$
36 maxlines = 1
37 #ignoreregex = duration:
38 '';
39 }