diff options
author | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2024-12-24 17:59:52 +0100 |
---|---|---|
committer | Benedikt Peetz <benedikt.peetz@b-peetz.de> | 2024-12-24 17:59:52 +0100 |
commit | 8245579c8af73c8f40f5978878c7944c814ba04f (patch) | |
tree | 006caa951e345f481be3b91b85bcfda1061956d9 /modules/by-name/fa/fail2ban/module.nix | |
parent | refactor(modules/impermanence): Migrate to by-name while distributing mods (diff) | |
download | nixos-server-8245579c8af73c8f40f5978878c7944c814ba04f.tar.gz nixos-server-8245579c8af73c8f40f5978878c7944c814ba04f.zip |
[WIP]
Diffstat (limited to 'modules/by-name/fa/fail2ban/module.nix')
-rw-r--r-- | modules/by-name/fa/fail2ban/module.nix | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/modules/by-name/fa/fail2ban/module.nix b/modules/by-name/fa/fail2ban/module.nix new file mode 100644 index 0000000..a95e267 --- /dev/null +++ b/modules/by-name/fa/fail2ban/module.nix @@ -0,0 +1,57 @@ +{ + config, + lib, + ... +}: let + cfg = config.vhack.fail2ban; +in { + options.vhack.fail2ban = { + enable = lib.mkEnableOption "fail2ban"; + }; + + config = lib.mkIf cfg.enable { + vhack.persist.directories = [ + { + directory = "/var/lib/fail2ban"; + user = "fail2ban"; + group = "fail2ban"; + mode = "0700"; + } + ]; + + services.fail2ban = { + enable = true; + maxretry = 7; # ban after 7 failures + daemonSettings = { + Definition = { + logtarget = "SYSLOG"; + socket = "/run/fail2ban/fail2ban.sock"; + pidfile = "/run/fail2ban/fail2ban.pid"; + dbfile = "/var/lib/fail2ban/db.sqlite3"; + }; + }; + bantime-increment = { + enable = true; + rndtime = "8m"; + overalljails = true; + multipliers = "2 4 16 128 256"; + maxtime = "72h"; + }; + jails = { + dovecot = '' + # block IPs which failed to log-in + # aggressive mode add blocking for aborted connections + enabled = true + filter = dovecot[mode=aggressive] + maxretry = 2 + ''; + postfix = '' + enabled = true + filter = postfix[mode=aggressive] + findtime = 600 + maxretry = 3 + ''; + }; + }; + }; +} |