42 lines
890 B
Nix
42 lines
890 B
Nix
# Filter and ban unauthorized access
|
|
{ config, lib, ... }:
|
|
let
|
|
cfg = config.my.services.fail2ban;
|
|
wgNetCfg = config.my.services.wireguard.net;
|
|
in
|
|
{
|
|
options.my.services.fail2ban = with lib; {
|
|
enable = mkEnableOption "fail2ban daemon";
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
services.fail2ban = {
|
|
enable = true;
|
|
|
|
ignoreIP = [
|
|
# Wireguard IPs
|
|
"${wgNetCfg.v4.subnet}.0/${toString wgNetCfg.v4.mask}"
|
|
"${wgNetCfg.v6.subnet}::/${toString wgNetCfg.v6.mask}"
|
|
# Loopback addresses
|
|
"127.0.0.0/8"
|
|
];
|
|
|
|
maxretry = 5;
|
|
|
|
bantime-increment = {
|
|
enable = true;
|
|
rndtime = "5m"; # Use 5 minute jitter to avoid unban evasion
|
|
};
|
|
|
|
jails.DEFAULT.settings = {
|
|
findtime = "4h";
|
|
bantime = "10m";
|
|
};
|
|
};
|
|
|
|
my.system.persist.directories = [
|
|
"/var/lib/fail2ban"
|
|
];
|
|
};
|
|
}
|