From 21cbed0f918bb97e38de7a6a924a2abca515c53d Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm@sourcephile.fr>
Date: Thu, 25 Jun 2020 00:46:50 +0200
Subject: [PATCH] fail2ban: enable on mermet too

---
 servers/mermet.nix          |  1 +
 servers/mermet/fail2ban.nix | 45 +++++++++++++++++++++++++++++++++++++
 2 files changed, 46 insertions(+)
 create mode 100644 servers/mermet/fail2ban.nix

diff --git a/servers/mermet.nix b/servers/mermet.nix
index 8972da9..6de70e7 100644
--- a/servers/mermet.nix
+++ b/servers/mermet.nix
@@ -18,6 +18,7 @@ let
       mermet/acme.nix
       mermet/debug.nix
       mermet/dovecot.nix
+      mermet/fail2ban.nix
       mermet/fileSystems.nix
       mermet/gitolite.nix
       mermet/hardware.nix
diff --git a/servers/mermet/fail2ban.nix b/servers/mermet/fail2ban.nix
new file mode 100644
index 0000000..4b4ece2
--- /dev/null
+++ b/servers/mermet/fail2ban.nix
@@ -0,0 +1,45 @@
+{ pkgs, lib, config, servers, ... }:
+{
+services.sshd.logLevel = "VERBOSE";
+services.fail2ban = {
+  enable = true;
+  banaction = "nftables-multiport";
+  banaction-allports = "nftables-allports";
+  bantime-increment = {
+    enable = true;
+    factor = "1";
+    formula = "ban.Time * (1 << min(ban.Count, 20)) * banFactor";
+    maxtime = "1y";
+    multipliers = "";
+    overalljails = false;
+    rndtime = "";
+  };
+  packageFirewall = pkgs.nftables;
+  ignoreIP = [
+    servers.mermet.ipv4
+    servers.losurdo.ipv4
+    "198.252.154.1" # wren.riseup.net
+  ];
+  jails = {
+    DEFAULT = ''
+    '';
+    sshd = ''
+      enabled = true
+      bantime = 5m
+      findtime = 5d
+      maxretry = 1
+      mode = aggressive
+    '';
+    postfix = ''
+      enabled = true
+      bantime = 5m
+      findtime = 5d
+      mode = aggressive
+    '';
+  };
+};
+environment.etc."fail2ban/action.d/nftables-common.local".text = ''
+  [Init]
+  blocktype = drop
+'';
+}
-- 
2.47.2