{ config, lib, ... }: let cfg = config.vhack.fail2ban; in { options.vhack.fail2ban = { enable = lib.mkEnableOption "fail2ban"; }; config = lib.mkIf cfg.enable { vhack.persist.directories = [ { directory = "/var/lib/fail2ban"; # TODO: Fail2ban should probably run under a dedicated `fail2ban` user. <2024-12-25> user = "root"; group = "root"; mode = "0700"; } ]; services.fail2ban = { enable = true; maxretry = 7; # ban after 7 failures daemonSettings = { Definition = { logtarget = "SYSLOG"; socket = "/run/fail2ban/fail2ban.sock"; pidfile = "/run/fail2ban/fail2ban.pid"; dbfile = "/var/lib/fail2ban/db.sqlite3"; }; }; bantime-increment = { enable = true; rndtime = "8m"; overalljails = true; multipliers = "2 4 16 128 256"; maxtime = "72h"; }; jails = { dovecot = '' # block IPs which failed to log-in # aggressive mode add blocking for aborted connections enabled = true filter = dovecot[mode=aggressive] maxretry = 2 ''; postfix = '' enabled = true filter = postfix[mode=aggressive] findtime = 600 maxretry = 3 ''; }; }; }; }