From 163eabfda1ff4598bacc26d210c328f27b5ed4af Mon Sep 17 00:00:00 2001 From: Benedikt Peetz Date: Wed, 25 Dec 2024 17:12:47 +0100 Subject: refactor(system/services/fail2ban): Migrate to `by-name` Additionally, I've changed to owner of the `/var/lib/fail2ban` directory to `root:root` as the main `fail2ban` service also runs under `root` and a `fail2ban` user is never created. --- system/services/default.nix | 1 - system/services/fail2ban/default.nix | 45 ------------------------------------ 2 files changed, 46 deletions(-) delete mode 100644 system/services/fail2ban/default.nix (limited to 'system/services') diff --git a/system/services/default.nix b/system/services/default.nix index fc3ccb3..db7ca4f 100644 --- a/system/services/default.nix +++ b/system/services/default.nix @@ -1,6 +1,5 @@ {...}: { imports = [ - ./fail2ban ./invidious ./invidious-router ./mail diff --git a/system/services/fail2ban/default.nix b/system/services/fail2ban/default.nix deleted file mode 100644 index 1c47568..0000000 --- a/system/services/fail2ban/default.nix +++ /dev/null @@ -1,45 +0,0 @@ -{...}: { - vhack.persist.directories = [ - { - directory = "/var/lib/fail2ban"; - user = "fail2ban"; - group = "fail2ban"; - mode = "0700"; - } - ]; - - services.fail2ban = { - enable = true; - maxretry = 7; # ban after 7 failures - daemonSettings = { - Definition = { - logtarget = "SYSLOG"; - socket = "/run/fail2ban/fail2ban.sock"; - pidfile = "/run/fail2ban/fail2ban.pid"; - dbfile = "/var/lib/fail2ban/db.sqlite3"; - }; - }; - bantime-increment = { - enable = true; - rndtime = "8m"; - overalljails = true; - multipliers = "2 4 16 128 256"; - maxtime = "72h"; - }; - jails = { - dovecot = '' - # block IPs which failed to log-in - # aggressive mode add blocking for aborted connections - enabled = true - filter = dovecot[mode=aggressive] - maxretry = 2 - ''; - postfix = '' - enabled = true - filter = postfix[mode=aggressive] - findtime = 600 - maxretry = 3 - ''; - }; - }; -} -- cgit 1.4.1