From 163eabfda1ff4598bacc26d210c328f27b5ed4af Mon Sep 17 00:00:00 2001 From: Benedikt Peetz Date: Wed, 25 Dec 2024 17:12:47 +0100 Subject: refactor(system/services/fail2ban): Migrate to `by-name` Additionally, I've changed to owner of the `/var/lib/fail2ban` directory to `root:root` as the main `fail2ban` service also runs under `root` and a `fail2ban` user is never created. --- modules/by-name/fa/fail2ban/module.nix | 58 ++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 modules/by-name/fa/fail2ban/module.nix (limited to 'modules/by-name/fa/fail2ban') diff --git a/modules/by-name/fa/fail2ban/module.nix b/modules/by-name/fa/fail2ban/module.nix new file mode 100644 index 0000000..c619ef9 --- /dev/null +++ b/modules/by-name/fa/fail2ban/module.nix @@ -0,0 +1,58 @@ +{ + config, + lib, + ... +}: let + cfg = config.vhack.fail2ban; +in { + options.vhack.fail2ban = { + enable = lib.mkEnableOption "fail2ban"; + }; + + config = lib.mkIf cfg.enable { + vhack.persist.directories = [ + { + directory = "/var/lib/fail2ban"; + # TODO: Fail2ban should probably run under a dedicated `fail2ban` user. <2024-12-25> + user = "root"; + group = "root"; + mode = "0700"; + } + ]; + + services.fail2ban = { + enable = true; + maxretry = 7; # ban after 7 failures + daemonSettings = { + Definition = { + logtarget = "SYSLOG"; + socket = "/run/fail2ban/fail2ban.sock"; + pidfile = "/run/fail2ban/fail2ban.pid"; + dbfile = "/var/lib/fail2ban/db.sqlite3"; + }; + }; + bantime-increment = { + enable = true; + rndtime = "8m"; + overalljails = true; + multipliers = "2 4 16 128 256"; + maxtime = "72h"; + }; + jails = { + dovecot = '' + # block IPs which failed to log-in + # aggressive mode add blocking for aborted connections + enabled = true + filter = dovecot[mode=aggressive] + maxretry = 2 + ''; + postfix = '' + enabled = true + filter = postfix[mode=aggressive] + findtime = 600 + maxretry = 3 + ''; + }; + }; + }; +} -- cgit 1.4.1