From 8c08db2eb2069e5bfafe9ea8df2d0111cfaec274 Mon Sep 17 00:00:00 2001
From: Gabriel Arazas <foodogsquared@foodogsquared.one>
Date: Fri, 14 Jul 2023 14:41:58 +0800
Subject: [PATCH] hosts/plover: use fail2ban jails settings

It is nicer compared to the traditional setting with strings.
---
 hosts/plover/default.nix                      |  9 ++++---
 hosts/plover/modules/services/bind.nix        | 12 +++++-----
 hosts/plover/modules/services/gitea.nix       | 12 +++++-----
 hosts/plover/modules/services/keycloak.nix    | 12 +++++-----
 hosts/plover/modules/services/nginx.nix       |  6 ++---
 hosts/plover/modules/services/vaultwarden.nix | 24 +++++++++----------
 6 files changed, 37 insertions(+), 38 deletions(-)

diff --git a/hosts/plover/default.nix b/hosts/plover/default.nix
index a20b6971..e3622504 100644
--- a/hosts/plover/default.nix
+++ b/hosts/plover/default.nix
@@ -67,11 +67,10 @@ in
 
     # We're going to be unforgiving with this one since we only have key
     # authentication and password authentication is disabled anyways.
-    jails.sshd = ''
-      enabled = true
-      maxretry = 1
-      port = 22
-    '';
+    jails.sshd.settings = {
+      enabled = true;
+      maxretry = 1;
+    };
   };
 
   sops.secrets = lib.getSecrets ./secrets/secrets.yaml {
diff --git a/hosts/plover/modules/services/bind.nix b/hosts/plover/modules/services/bind.nix
index b34a47a8..580e62b5 100644
--- a/hosts/plover/modules/services/bind.nix
+++ b/hosts/plover/modules/services/bind.nix
@@ -284,12 +284,12 @@ in
   security.dhparams.params.bind.bits = 4096;
 
   # Set up a fail2ban which is apparently already available in the package.
-  services.fail2ban.jails."named-refused" = ''
-    enabled = true
-    backend = systemd
-    filter = named-refused[journalmatch='_SYSTEMD_UNIT=bind.service']
-    maxretry = 3
-  '';
+  services.fail2ban.jails."named-refused".settings = {
+    enabled = true;
+    backend = "systemd";
+    filter = "named-refused[journalmatch='_SYSTEMD_UNIT=bind.service']";
+    maxretry = 3;
+  };
 
   # Add the following to be backed up.
   services.borgbackup.jobs.services-backup.paths = [ zonesDir ];
diff --git a/hosts/plover/modules/services/gitea.nix b/hosts/plover/modules/services/gitea.nix
index 69b9ab90..9acc9b87 100644
--- a/hosts/plover/modules/services/gitea.nix
+++ b/hosts/plover/modules/services/gitea.nix
@@ -179,12 +179,12 @@ in
   # Configuring fail2ban for this service which thankfully has a dedicated page
   # at https://docs.gitea.io/en-us/fail2ban-setup/.
   services.fail2ban.jails = {
-    gitea = ''
-      enabled = true
-      backend = systemd
-      filter = gitea[journalmatch='_SYSTEMD_UNIT=gitea.service + _COMM=gitea']
-      maxretry = 8
-    '';
+    gitea.settings = {
+      enabled = true;
+      backend = "systemd";
+      filter = "gitea[journalmatch='_SYSTEMD_UNIT=gitea.service + _COMM=gitea']";
+      maxretry = 8;
+    };
   };
 
   environment.etc = {
diff --git a/hosts/plover/modules/services/keycloak.nix b/hosts/plover/modules/services/keycloak.nix
index 13e285ee..7304c3fa 100644
--- a/hosts/plover/modules/services/keycloak.nix
+++ b/hosts/plover/modules/services/keycloak.nix
@@ -110,12 +110,12 @@ in
   # Configuring fail2ban for this services which is only present as a neat
   # little hint from its server administration guide.
   services.fail2ban.jails = {
-    keycloak = ''
-      enabled = true
-      backend = systemd
-      filter = keycloak[journalmatch='_SYSTEMD_UNIT=keycloak.service']
-      maxretry = 3
-    '';
+    keycloak.settings = {
+      enabled = true;
+      backend = "systemd";
+      filter = "keycloak[journalmatch='_SYSTEMD_UNIT=keycloak.service']";
+      maxretry = 3;
+    };
   };
 
   environment.etc = {
diff --git a/hosts/plover/modules/services/nginx.nix b/hosts/plover/modules/services/nginx.nix
index 7a950208..1ed40f2f 100644
--- a/hosts/plover/modules/services/nginx.nix
+++ b/hosts/plover/modules/services/nginx.nix
@@ -36,8 +36,8 @@
 
   # Some fail2ban policies to apply for nginx.
   services.fail2ban.jails = {
-    nginx-http-auth = "enabled = true";
-    nginx-botsearch = "enabled = true";
-    nginx-bad-request = "enabled = true";
+    nginx-http-auth.settings = { enabled = true; };
+    nginx-botsearch.settings = { enabled = true; };
+    nginx-bad-request.settings = { enabled = true; };
   };
 }
diff --git a/hosts/plover/modules/services/vaultwarden.nix b/hosts/plover/modules/services/vaultwarden.nix
index 56284033..7473198a 100644
--- a/hosts/plover/modules/services/vaultwarden.nix
+++ b/hosts/plover/modules/services/vaultwarden.nix
@@ -159,19 +159,19 @@ in
   # Configuring fail2ban for this service which thankfully has a dedicated page
   # at https://github.com/dani-garcia/vaultwarden/wiki/Fail2Ban-Setup.
   services.fail2ban.jails = {
-    vaultwarden-user = ''
-      enabled = true
-      backend = systemd
-      filter = vaultwarden-user[journalmatch='_SYSTEMD_UNIT=vaultwarden.service + _COMM=vaultwarden']
-      maxretry = 5
-    '';
+    vaultwarden-user.settings = {
+      enabled = true;
+      backend = "systemd";
+      filter = "vaultwarden-user[journalmatch='_SYSTEMD_UNIT=vaultwarden.service + _COMM=vaultwarden']";
+      maxretry = 5;
+    };
 
-    vaultwarden-admin = ''
-      enabled = true
-      backend = systemd
-      filter = vaultwarden-admin[journalmatch='_SYSTEMD_UNIT=vaultwarden.service + _COMM=vaultwarden']
-      maxretry = 3
-    '';
+    vaultwarden-admin.settings = {
+      enabled = true;
+      backend = "systemd";
+      filter = "vaultwarden-admin[journalmatch='_SYSTEMD_UNIT=vaultwarden.service + _COMM=vaultwarden']";
+      maxretry = 3;
+    };
   };
 
   environment.etc = {