{ pkgs, lib, config, hosts, ... }: { services.openssh.logLevel = "VERBOSE"; services.postgresql.logLinePrefix = "%h "; /* systemd.services.nftables.postStart = '' systemctl reload fail2ban ''; */ services.fail2ban = { enable = true; banaction = "nftables-multiport"; banaction-allports = "nftables-allports"; bantime-increment = { enable = true; factor = "1"; formula = "ban.Time * (1 << min(ban.Count, 20)) * banFactor"; maxtime = "1y"; multipliers = ""; overalljails = false; rndtime = ""; }; packageFirewall = pkgs.nftables; ignoreIP = [ #"0.0.0.0/8" #"10.0.0.0/8" "127.0.0.0/8" #"169.254.0.0/16" #"172.16.0.0/12" #"192.0.2.0/24" "192.168.0.0/16" #"224.0.0.0/3" #"240.0.0.0/5" hosts.mermet.extraArgs.ipv4 hosts.mermet.extraArgs.wireguard.wg-intra.ipv4 "losurdo.sourcephile.fr" "vpn.riseup.net" ]; jails = { DEFAULT = '' ''; sshd = '' enabled = true bantime = 5m findtime = 1d maxretry = 1 mode = aggressive ''; postgresql = '' enabled = true bantime = 1m filter = postgresql findtime = 1d port = 5432 ''; }; }; environment.etc."fail2ban/action.d/nftables-common.local".text = '' [Init] blocktype = drop ''; environment.etc."fail2ban/filter.d/postgresql.local".text = '' [INCLUDES] before = common.conf [DEFAULT] _daemon = postgresql-start [Definition] journalmatch = _SYSTEMD_UNIT=postgresql.service + _COMM=postgres prefregex = ^%(__prefix_line)s.+$ failregex = ^\s+FATAL:\s*no pg_hba.conf entry for host.+$ ^\s+FATAL:\s*no PostgreSQL user name specified in startup packet.+$ ^\s+FATAL:\s*password authentication failed for user.+$ ^\s+FATAL:\s*unsupported frontend protocol.+$ maxlines = 1 #ignoreregex = duration: ''; }