diff --git a/modules/services/default.nix b/modules/services/default.nix index a5d129b..b71fb2a 100644 --- a/modules/services/default.nix +++ b/modules/services/default.nix @@ -7,6 +7,7 @@ ./blog ./calibre-web ./drone + ./fail2ban ./flood ./gitea ./grocy diff --git a/modules/services/fail2ban/default.nix b/modules/services/fail2ban/default.nix new file mode 100644 index 0000000..ab80bda --- /dev/null +++ b/modules/services/fail2ban/default.nix @@ -0,0 +1,37 @@ +# A minimalist, opinionated feed reader +{ config, lib, ... }: +let + cfg = config.my.services.fail2ban; + wgNetCfg = config.my.services.wireguard.net; +in +{ + options.my.services.fail2ban = with lib; { + enable = mkEnableOption "fail2ban daemon"; + }; + + config = lib.mkIf cfg.enable { + services.fail2ban = { + enable = true; + + ignoreIP = [ + # Wireguard IPs + "${wgNetCfg.v4.subnet}.0/${toString wgNetCfg.v4.mask}" + "${wgNetCfg.v6.subnet}::/${toString wgNetCfg.v6.mask}" + # Loopback addresses + "127.0.0.0/8" + ]; + + maxretry = 5; + + bantime-increment = { + enable = true; + rndtime = "5m"; # Use 5 minute jitter to avoid unban evasion + }; + + jails.DEFAULT = ''; + findtime = 4h + bantime = 10m + ''; + }; + }; +}