hosts/plover: use fail2ban jails settings

It is nicer compared to the traditional setting with strings.

hosts/plover/default.nix

@@ -67,11 +67,10 @@ in
 
     # We're going to be unforgiving with this one since we only have key
     # authentication and password authentication is disabled anyways.
-    jails.sshd = ''
+    jails.sshd.settings = {
-      enabled = true
+      enabled = true;
-      maxretry = 1
+      maxretry = 1;
-      port = 22
+    };
-    '';
   };
 
   sops.secrets = lib.getSecrets ./secrets/secrets.yaml {

hosts/plover/modules/services/bind.nix

@@ -284,12 +284,12 @@ in
   security.dhparams.params.bind.bits = 4096;
 
   # Set up a fail2ban which is apparently already available in the package.
-  services.fail2ban.jails."named-refused" = ''
+  services.fail2ban.jails."named-refused".settings = {
-    enabled = true
+    enabled = true;
-    backend = systemd
+    backend = "systemd";
-    filter = named-refused[journalmatch='_SYSTEMD_UNIT=bind.service']
+    filter = "named-refused[journalmatch='_SYSTEMD_UNIT=bind.service']";
-    maxretry = 3
+    maxretry = 3;
-  '';
+  };
 
   # Add the following to be backed up.
   services.borgbackup.jobs.services-backup.paths = [ zonesDir ];

hosts/plover/modules/services/gitea.nix

@@ -179,12 +179,12 @@ in
   # Configuring fail2ban for this service which thankfully has a dedicated page
   # at https://docs.gitea.io/en-us/fail2ban-setup/.
   services.fail2ban.jails = {
-    gitea = ''
+    gitea.settings = {
-      enabled = true
+      enabled = true;
-      backend = systemd
+      backend = "systemd";
-      filter = gitea[journalmatch='_SYSTEMD_UNIT=gitea.service + _COMM=gitea']
+      filter = "gitea[journalmatch='_SYSTEMD_UNIT=gitea.service + _COMM=gitea']";
-      maxretry = 8
+      maxretry = 8;
-    '';
+    };
   };
 
   environment.etc = {

hosts/plover/modules/services/keycloak.nix

@@ -110,12 +110,12 @@ in
   # Configuring fail2ban for this services which is only present as a neat
   # little hint from its server administration guide.
   services.fail2ban.jails = {
-    keycloak = ''
+    keycloak.settings = {
-      enabled = true
+      enabled = true;
-      backend = systemd
+      backend = "systemd";
-      filter = keycloak[journalmatch='_SYSTEMD_UNIT=keycloak.service']
+      filter = "keycloak[journalmatch='_SYSTEMD_UNIT=keycloak.service']";
-      maxretry = 3
+      maxretry = 3;
-    '';
+    };
   };
 
   environment.etc = {

hosts/plover/modules/services/nginx.nix

@@ -36,8 +36,8 @@
 
   # Some fail2ban policies to apply for nginx.
   services.fail2ban.jails = {
-    nginx-http-auth = "enabled = true";
+    nginx-http-auth.settings = { enabled = true; };
-    nginx-botsearch = "enabled = true";
+    nginx-botsearch.settings = { enabled = true; };
-    nginx-bad-request = "enabled = true";
+    nginx-bad-request.settings = { enabled = true; };
   };
 }

hosts/plover/modules/services/vaultwarden.nix

@@ -159,19 +159,19 @@ in
   # Configuring fail2ban for this service which thankfully has a dedicated page
   # at https://github.com/dani-garcia/vaultwarden/wiki/Fail2Ban-Setup.
   services.fail2ban.jails = {
-    vaultwarden-user = ''
+    vaultwarden-user.settings = {
-      enabled = true
+      enabled = true;
-      backend = systemd
+      backend = "systemd";
-      filter = vaultwarden-user[journalmatch='_SYSTEMD_UNIT=vaultwarden.service + _COMM=vaultwarden']
+      filter = "vaultwarden-user[journalmatch='_SYSTEMD_UNIT=vaultwarden.service + _COMM=vaultwarden']";
-      maxretry = 5
+      maxretry = 5;
-    '';
+    };
 
-    vaultwarden-admin = ''
+    vaultwarden-admin.settings = {
-      enabled = true
+      enabled = true;
-      backend = systemd
+      backend = "systemd";
-      filter = vaultwarden-admin[journalmatch='_SYSTEMD_UNIT=vaultwarden.service + _COMM=vaultwarden']
+      filter = "vaultwarden-admin[journalmatch='_SYSTEMD_UNIT=vaultwarden.service + _COMM=vaultwarden']";
-      maxretry = 3
+      maxretry = 3;
-    '';
+    };
   };
 
   environment.etc = {