-{ pkgs, hosts, ... }:
+{ hosts, ... }:
{
- services.openssh.logLevel = "VERBOSE";
- /*
- systemd.services.nftables.postStart = ''
- systemctl reload fail2ban
- '';
- */
+ imports = [
+ ../../nixos/profiles/services/fail2ban.nix
+ ];
services.fail2ban = {
enable = true;
- banaction = "nftables-multiport";
- banaction-allports = "nftables-allports";
- bantime-increment = {
- enable = true;
- factor = "1";
- formula = "ban.Time * (1 << min(ban.Count, 20)) * banFactor";
- maxtime = "1y";
- multipliers = "";
- overalljails = false;
- rndtime = "";
- };
- packageFirewall = pkgs.nftables;
ignoreIP = [
hosts.mermet._module.args.ipv4
"losurdo.sourcephile.fr"
];
jails = {
- DEFAULT = ''
- '';
- sshd = ''
- enabled = true
- bantime = 5m
- findtime = 1d
- maxretry = 1
- mode = aggressive
- '';
- postfix = ''
- enabled = true
- bantime = 5m
- findtime = 1d
- mode = aggressive
- '';
+ sshd.settings = {
+ enabled = true;
+ bantime = "5m";
+ findtime = "1d";
+ maxretry = "1";
+ mode = "aggressive";
+ };
+ postfix.settings = {
+ enabled = true;
+ bantime = "5m";
+ filter = "postfix";
+ findtime = "10d";
+ mode = "aggressive";
+ port = 465;
+ };
+ postgresql.settings = {
+ enabled = true;
+ bantime = "5m";
+ filter = "postgresql";
+ findtime = "1d";
+ port = 5432;
+ };
};
};
- environment.etc."fail2ban/action.d/nftables-common.local".text = ''
- [Init]
- blocktype = drop
- '';
}