losurdo: openvpn: riseup: update remotes

[sourcephile-nix.git] / hosts / losurdo / fail2ban.nix

diff --git a/hosts/losurdo/fail2ban.nix b/hosts/losurdo/fail2ban.nix
index 15680066ffb279cc9064e7c2f7e7c58188fe08ab..17f29e07bb7460d5e22dfaaaab5d93fccb381920 100644 (file)
--- a/hosts/losurdo/fail2ban.nix
+++ b/hosts/losurdo/fail2ban.nix
@@ -1,73 +1,38 @@
-{ pkgs, lib, config, hosts, ... }:
+{ pkgs, hosts, ... }:
 {
-services.openssh.logLevel = "VERBOSE";
-services.postgresql.logLinePrefix = "%h ";
-/*
-systemd.services.nftables.postStart = '' systemctl reload fail2ban '';
-*/
-services.fail2ban = {
-  enable = true;
-  banaction = "nftables-multiport";
-  banaction-allports = "nftables-allports";
-  bantime-increment = {
-    enable = true;
-    factor = "1";
-    formula = "ban.Time * (1 << min(ban.Count, 20)) * banFactor";
-    maxtime = "1y";
-    multipliers = "";
-    overalljails = false;
-    rndtime = "";
-  };
-  packageFirewall = pkgs.nftables;
-  ignoreIP = [
-    #"0.0.0.0/8"
-    #"10.0.0.0/8"
-    "127.0.0.0/8"
-    #"169.254.0.0/16"
-    #"172.16.0.0/12"
-    #"192.0.2.0/24"
-    "192.168.0.0/16"
-    #"224.0.0.0/3"
-    #"240.0.0.0/5"
-    hosts.mermet._module.args.ipv4
-    "losurdo.sourcephile.fr"
+  imports = [
+    ../../nixos/profiles/services/fail2ban.nix
   ];
-  jails = {
-    DEFAULT = ''
-    '';
-    sshd = ''
-      enabled = true
-      bantime = 5m
-      findtime = 1d
-      maxretry = 1
-      mode = aggressive
-    '';
-    postgresql = ''
-      enabled = true
-      bantime = 1m
-      filter = postgresql
-      findtime = 1d
-      port = 5432
-    '';
+  services.fail2ban = {
+    enable = true;
+    ignoreIP = [
+      #"0.0.0.0/8"
+      #"10.0.0.0/8"
+      "127.0.0.0/8"
+      #"169.254.0.0/16"
+      #"172.16.0.0/12"
+      #"192.0.2.0/24"
+      "192.168.0.0/16"
+      #"224.0.0.0/3"
+      #"240.0.0.0/5"
+      hosts.mermet._module.args.ipv4
+      "losurdo.sourcephile.fr"
+    ];
+    jails = {
+      sshd.settings = {
+        enabled = true;
+        bantime = "5m";
+        findtime = "1d";
+        maxretry = "1";
+        mode = "aggressive";
+      };
+      postgresql.settings = {
+        enabled = true;
+        bantime = "1m";
+        filter = "postgresql";
+        findtime = "1d";
+        port = 5432;
+      };
+    };
   };
-};
-environment.etc."fail2ban/action.d/nftables-common.local".text = ''
-  [Init]
-  blocktype = drop
-'';
-environment.etc."fail2ban/filter.d/postgresql.local".text = ''
-  [INCLUDES]
-  before = common.conf
-  [DEFAULT]
-  _daemon = postgresql-start
-  [Definition]
-  journalmatch = _SYSTEMD_UNIT=postgresql.service + _COMM=postgres
-  prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID><F-CONTENT>.+</F-CONTENT>$
-  failregex = ^<HOST>\s+FATAL:\s*no pg_hba.conf entry for host.+$
-              ^<HOST>\s+FATAL:\s*no PostgreSQL user name specified in startup packet.+$
-              ^<HOST>\s+FATAL:\s*password authentication failed for user.+$
-              ^<HOST>\s+FATAL:\s*unsupported frontend protocol.+$
-  maxlines = 1
-  #ignoreregex = duration:
-'';
 }