usecases/server/fail2ban.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

inputs:

{ config, ... }:

{
  services.fail2ban = {
    enable = true;
    ignoreIP = [ config.topology.mainVpn.subnet ];

    # Remove when backported:
    # https://github.com/NixOS/nixpkgs/pull/270864
    banaction-allports = "iptables-allports";

    bantime-increment.enable = true;

    jails = {
      recidive.settings = {
        banaction = "%(banaction_allports)s";
        bantime = "1w";
        findtime = "1d";
      };
    };
  };
}