-{ pkgs, lib, config, hosts, ... }:
+{ pkgs, hosts, ... }:
{
-services.openssh.logLevel = "VERBOSE";
-/*
-systemd.services.nftables.postStart = ''
- systemctl reload fail2ban
-'';
-*/
-services.fail2ban = {
- enable = true;
- banaction = "nftables-multiport";
- banaction-allports = "nftables-allports";
- bantime-increment = {
- enable = true;
- factor = "1";
- formula = "ban.Time * (1 << min(ban.Count, 20)) * banFactor";
- maxtime = "1y";
- multipliers = "";
- overalljails = false;
- rndtime = "";
- };
- packageFirewall = pkgs.nftables;
- ignoreIP = [
- hosts.mermet.extraArgs.ipv4
- hosts.losurdo.extraArgs.wireguard.wg-intra.ipv4
- "losurdo.sourcephile.fr"
- "vpn.riseup.net"
- ];
- jails = {
- DEFAULT = ''
+ services.openssh.logLevel = "VERBOSE";
+ /*
+ systemd.services.nftables.postStart = ''
+ systemctl reload fail2ban
'';
- sshd = ''
- enabled = true
- bantime = 5m
- findtime = 1d
- maxretry = 1
- mode = aggressive
- '';
- postfix = ''
- enabled = true
- bantime = 5m
- findtime = 1d
- mode = aggressive
+ */
+ services.fail2ban = {
+ enable = true;
+ banaction = "nftables-multiport";
+ banaction-allports = "nftables-allports";
+ bantime-increment = {
+ enable = true;
+ factor = "1";
+ formula = "ban.Time * (1 << min(ban.Count, 20)) * banFactor";
+ maxtime = "1y";
+ multipliers = "";
+ overalljails = false;
+ rndtime = "";
+ };
+ packageFirewall = pkgs.nftables;
+ ignoreIP = [
+ hosts.mermet._module.args.ipv4
+ "losurdo.sourcephile.fr"
+ ];
+ jails = {
+ DEFAULT = ''
'';
+ sshd = ''
+ enabled = true
+ bantime = 5m
+ findtime = 1d
+ maxretry = 1
+ mode = aggressive
+ '';
+ postfix = ''
+ enabled = true
+ bantime = 5m
+ findtime = 1d
+ mode = aggressive
+ '';
+ };
};
-};
-environment.etc."fail2ban/action.d/nftables-common.local".text = ''
- [Init]
- blocktype = drop
-'';
+ environment.etc."fail2ban/action.d/nftables-common.local".text = ''
+ [Init]
+ blocktype = drop
+ '';
}
sourcephile / git / sourcephile-nix.git / blobdiff