mermet: nebula: sourcephile.fr: adapt to new conventions

[sourcephile-nix.git] / hosts / losurdo / fail2ban.nix

diff --git a/hosts/losurdo/fail2ban.nix b/hosts/losurdo/fail2ban.nix
index 5f237ed9a8fa3819a433087eb44afc98083d12c9..17f29e07bb7460d5e22dfaaaab5d93fccb381920 100644 (file)
--- a/hosts/losurdo/fail2ban.nix
+++ b/hosts/losurdo/fail2ban.nix
@@ -1,23 +1,10 @@
 { pkgs, hosts, ... }:
 {
-  services.openssh.settings.LogLevel = "VERBOSE";
-  services.postgresql.logLinePrefix = "%h ";
-  /*
-    systemd.services.nftables.postStart = '' systemctl reload fail2ban '';
-  */
+  imports = [
+    ../../nixos/profiles/services/fail2ban.nix
+  ];
   services.fail2ban = {
     enable = true;
-    banaction = "nftables-multiport";
-    banaction-allports = "nftables-allports";
-    bantime-increment = {
-      enable = true;
-      factor = "1";
-      formula = "ban.Time * (1 << min(ban.Count, 20)) * banFactor";
-      maxtime = "1y";
-      overalljails = false;
-      rndtime = "";
-    };
-    packageFirewall = pkgs.nftables;
     ignoreIP = [
       #"0.0.0.0/8"
       #"10.0.0.0/8"
@@ -48,23 +35,4 @@
       };
     };
   };
-  environment.etc."fail2ban/action.d/nftables-common.local".text = ''
-    [Init]
-    blocktype = drop
-  '';
-  environment.etc."fail2ban/filter.d/postgresql.local".text = ''
-    [INCLUDES]
-    before = common.conf
-    [DEFAULT]
-    _daemon = postgresql-start
-    [Definition]
-    journalmatch = _SYSTEMD_UNIT=postgresql.service + _COMM=postgres
-    prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID><F-CONTENT>.+</F-CONTENT>$
-    failregex = ^<HOST>\s+FATAL:\s*no pg_hba.conf entry for host.+$
-                ^<HOST>\s+FATAL:\s*no PostgreSQL user name specified in startup packet.+$
-                ^<HOST>\s+FATAL:\s*password authentication failed for user.+$
-                ^<HOST>\s+FATAL:\s*unsupported frontend protocol.+$
-    maxlines = 1
-    #ignoreregex = duration:
-  '';
 }