{ pkgs, lib, config, machines, ... }:
{
services.openssh.logLevel = "VERBOSE";
services.postgresql.settings.log_line_prefix = "%h ";
/*
systemd.services.nftables.postStart = '' systemctl reload fail2ban '';
*/
services.fail2ban = {
enable = true;
banaction = "nftables-multiport";
banaction-allports = "nftables-allports";
bantime-increment = {
enable = true;
factor = "1";
formula = "ban.Time * (1 << min(ban.Count, 20)) * banFactor";
maxtime = "1y";
multipliers = "";
overalljails = false;
rndtime = "";
};
packageFirewall = pkgs.nftables;
ignoreIP = [
#"0.0.0.0/8"
#"10.0.0.0/8"
"127.0.0.0/8"
#"169.254.0.0/16"
#"172.16.0.0/12"
#"192.0.2.0/24"
"192.168.0.0/16"
#"224.0.0.0/3"
#"240.0.0.0/5"
machines.mermet.extraArgs.ipv4
machines.mermet.extraArgs.wireguard.wg-intra.ipv4
"losurdo.sourcephile.fr"
"vpn.riseup.net"
];
jails = {
DEFAULT = ''
'';
sshd = ''
enabled = true
bantime = 5m
findtime = 1d
maxretry = 1
mode = aggressive
'';
postgresql = ''
enabled = true
bantime = 1m
filter = postgresql
findtime = 1d
port = 5432
'';
};
};
environment.etc."fail2ban/action.d/nftables-common.local".text = ''
[Init]
blocktype = drop
'';
environment.etc."fail2ban/filter.d/postgresql.local".text = ''
[INCLUDES]
before = common.conf
[DEFAULT]
_daemon = postgresql-start
[Definition]
journalmatch = _SYSTEMD_UNIT=postgresql.service + _COMM=postgres
prefregex = ^%(__prefix_line)s.+$
failregex = ^\s+FATAL:\s*no pg_hba.conf entry for host.+$
^\s+FATAL:\s*no PostgreSQL user name specified in startup packet.+$
^\s+FATAL:\s*password authentication failed for user.+$
^\s+FATAL:\s*unsupported frontend protocol.+$
maxlines = 1
#ignoreregex = duration:
'';
}