2023-12-11 08:30:00 +00:00
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
|
|
|
|
let
|
|
|
|
hostCfg = config.hosts.plover;
|
|
|
|
cfg = hostCfg.services.fail2ban;
|
|
|
|
|
|
|
|
inherit (import ../hardware/networks.nix) interfaces;
|
|
|
|
in
|
|
|
|
{
|
2023-12-15 05:27:12 +00:00
|
|
|
options.hosts.plover.services.fail2ban.enable =
|
|
|
|
lib.mkEnableOption "fail2ban monitoring";
|
2023-12-11 08:30:00 +00:00
|
|
|
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
|
|
services.fail2ban = {
|
|
|
|
enable = true;
|
2024-01-22 04:24:53 +00:00
|
|
|
bantime-increment = {
|
|
|
|
enable = true;
|
|
|
|
factor = "4";
|
|
|
|
maxtime = "24h";
|
|
|
|
overalljails = true;
|
|
|
|
};
|
|
|
|
extraPackages = with pkgs; [ ipset ];
|
2024-09-20 10:34:58 +00:00
|
|
|
ignoreIP = [ "10.0.0.0/8" ];
|
2023-12-11 08:30:00 +00:00
|
|
|
|
|
|
|
# We're going to be unforgiving with this one since we only have key
|
|
|
|
# authentication and password authentication is disabled anyways.
|
|
|
|
jails.sshd.settings = {
|
|
|
|
enabled = true;
|
|
|
|
maxretry = 1;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|