bonfire/modules/services/fail2ban.nix
2023-06-06 23:18:09 +05:00

39 lines
1.1 KiB
Nix

{ config, options, lib, pkgs, ... }:
with lib;
with lib.custom;
let
cfg = config.modules.services.fail2ban;
in {
options.modules.services.fail2ban = {
enable = mkBoolOpt false;
};
config = mkIf cfg.enable {
services.fail2ban = {
enable = true;
ignoreIP = [ "127.0.0.1/16" "192.168.1.0/24" ];
banaction-allports = "iptables-allports";
bantime-increment = {
enable = true;
maxtime = "168h";
factor = "4";
};
jails.DEFAULT = ''
blocktype = DROP
bantime = 1h
findtime = 1h
'';
};
# Extra filters
environment.etc = {
"fail2ban/filter.d/gitea.conf".text = ''
[Definition]
failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
ignoreregex =
journalmatch = _SYSTEMD_UNIT=gitea.service
'';
};
};
}