-{ pkgs, lib, config, hosts, ... }:
+{ hosts, ... }:
{
-services.openssh.logLevel = "VERBOSE";
-/*
-systemd.services.nftables.postStart = ''
- systemctl reload fail2ban
-'';
-*/
-services.fail2ban = {
- enable = true;
- banaction = "nftables-multiport";
- banaction-allports = "nftables-allports";
- bantime-increment = {
- enable = true;
- factor = "1";
- formula = "ban.Time * (1 << min(ban.Count, 20)) * banFactor";
- maxtime = "1y";
- multipliers = "";
- overalljails = false;
- rndtime = "";
- };
- packageFirewall = pkgs.nftables;
- ignoreIP = [
- hosts.mermet.extraArgs.ipv4
- "losurdo.sourcephile.fr"
- "vpn.riseup.net"
+ imports = [
+ ../../nixos/profiles/services/fail2ban.nix
];
- jails = {
- DEFAULT = ''
- '';
- sshd = ''
- enabled = true
- bantime = 5m
- findtime = 1d
- maxretry = 1
- mode = aggressive
- '';
- postfix = ''
- enabled = true
- bantime = 5m
- findtime = 1d
- mode = aggressive
- '';
+ services.fail2ban = {
+ enable = true;
+ ignoreIP = [
+ hosts.mermet._module.args.ipv4
+ "losurdo.sourcephile.fr"
+ ];
+ jails = {
+ sshd.settings = {
+ enabled = true;
+ bantime = "5m";
+ findtime = "1d";
+ maxretry = "1";
+ mode = "aggressive";
+ };
+ postfix.settings = {
+ enabled = true;
+ bantime = "5m";
+ filter = "postfix";
+ findtime = "10d";
+ mode = "aggressive";
+ port = 465;
+ };
+ postgresql.settings = {
+ enabled = true;
+ bantime = "5m";
+ filter = "postgresql";
+ findtime = "1d";
+ port = 5432;
+ };
+ };
};
-};
-environment.etc."fail2ban/action.d/nftables-common.local".text = ''
- [Init]
- blocktype = drop
-'';
}
sourcephile / git / sourcephile-nix.git / blobdiff