From 9981ea0a7567029a1e7833ec500891c4178f5984 Mon Sep 17 00:00:00 2001
From: Minijackson <minijackson@riseup.net>
Date: Sat, 30 Dec 2023 22:07:48 +0100
Subject: fail2ban: configure recidive jail

---
 usecases/server/fail2ban.nix | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'usecases')

diff --git a/usecases/server/fail2ban.nix b/usecases/server/fail2ban.nix
index 3870a32..74266f7 100644
--- a/usecases/server/fail2ban.nix
+++ b/usecases/server/fail2ban.nix
@@ -6,5 +6,19 @@ inputs:
   services.fail2ban = {
     enable = true;
     ignoreIP = [ config.topology.mainVpn.subnet ];
+
+    # Remove when backported:
+    # https://github.com/NixOS/nixpkgs/pull/270864
+    banaction-allports = "iptables-allports";
+
+    bantime-increment.enable = true;
+
+    jails = {
+      recidive.settings = {
+        banaction = "%(banaction_allports)s";
+        bantime = "1w";
+        findtime = "1d";
+      };
+    };
   };
 }
-- 
cgit v1.2.3