From 163eabfda1ff4598bacc26d210c328f27b5ed4af Mon Sep 17 00:00:00 2001 From: Benedikt Peetz Date: Wed, 25 Dec 2024 17:12:47 +0100 Subject: refactor(system/services/fail2ban): Migrate to `by-name` Additionally, I've changed to owner of the `/var/lib/fail2ban` directory to `root:root` as the main `fail2ban` service also runs under `root` and a `fail2ban` user is never created. --- modules/by-name/fa/fail2ban/module.nix | 58 ++++++++++++++++++++++++++++++++++ system/services/default.nix | 1 - system/services/fail2ban/default.nix | 45 -------------------------- 3 files changed, 58 insertions(+), 46 deletions(-) create mode 100644 modules/by-name/fa/fail2ban/module.nix delete mode 100644 system/services/fail2ban/default.nix diff --git a/modules/by-name/fa/fail2ban/module.nix b/modules/by-name/fa/fail2ban/module.nix new file mode 100644 index 0000000..c619ef9 --- /dev/null +++ b/modules/by-name/fa/fail2ban/module.nix @@ -0,0 +1,58 @@ +{ + config, + lib, + ... +}: let + cfg = config.vhack.fail2ban; +in { + options.vhack.fail2ban = { + enable = lib.mkEnableOption "fail2ban"; + }; + + config = lib.mkIf cfg.enable { + vhack.persist.directories = [ + { + directory = "/var/lib/fail2ban"; + # TODO: Fail2ban should probably run under a dedicated `fail2ban` user. <2024-12-25> + user = "root"; + group = "root"; + mode = "0700"; + } + ]; + + services.fail2ban = { + enable = true; + maxretry = 7; # ban after 7 failures + daemonSettings = { + Definition = { + logtarget = "SYSLOG"; + socket = "/run/fail2ban/fail2ban.sock"; + pidfile = "/run/fail2ban/fail2ban.pid"; + dbfile = "/var/lib/fail2ban/db.sqlite3"; + }; + }; + bantime-increment = { + enable = true; + rndtime = "8m"; + overalljails = true; + multipliers = "2 4 16 128 256"; + maxtime = "72h"; + }; + jails = { + dovecot = '' + # block IPs which failed to log-in + # aggressive mode add blocking for aborted connections + enabled = true + filter = dovecot[mode=aggressive] + maxretry = 2 + ''; + postfix = '' + enabled = true + filter = postfix[mode=aggressive] + findtime = 600 + maxretry = 3 + ''; + }; + }; + }; +} diff --git a/system/services/default.nix b/system/services/default.nix index fc3ccb3..db7ca4f 100644 --- a/system/services/default.nix +++ b/system/services/default.nix @@ -1,6 +1,5 @@ {...}: { imports = [ - ./fail2ban ./invidious ./invidious-router ./mail diff --git a/system/services/fail2ban/default.nix b/system/services/fail2ban/default.nix deleted file mode 100644 index 1c47568..0000000 --- a/system/services/fail2ban/default.nix +++ /dev/null @@ -1,45 +0,0 @@ -{...}: { - vhack.persist.directories = [ - { - directory = "/var/lib/fail2ban"; - user = "fail2ban"; - group = "fail2ban"; - mode = "0700"; - } - ]; - - services.fail2ban = { - enable = true; - maxretry = 7; # ban after 7 failures - daemonSettings = { - Definition = { - logtarget = "SYSLOG"; - socket = "/run/fail2ban/fail2ban.sock"; - pidfile = "/run/fail2ban/fail2ban.pid"; - dbfile = "/var/lib/fail2ban/db.sqlite3"; - }; - }; - bantime-increment = { - enable = true; - rndtime = "8m"; - overalljails = true; - multipliers = "2 4 16 128 256"; - maxtime = "72h"; - }; - jails = { - dovecot = '' - # block IPs which failed to log-in - # aggressive mode add blocking for aborted connections - enabled = true - filter = dovecot[mode=aggressive] - maxretry = 2 - ''; - postfix = '' - enabled = true - filter = postfix[mode=aggressive] - findtime = 600 - maxretry = 3 - ''; - }; - }; -} -- cgit 1.4.1