32 lines
638 B
Nix
32 lines
638 B
Nix
{
|
|
pkgs,
|
|
lib,
|
|
config,
|
|
...
|
|
}:
|
|
let
|
|
inherit (lib) mkIf;
|
|
cfg = config.services.fail2ban;
|
|
in
|
|
{
|
|
config = mkIf cfg.enable {
|
|
services.fail2ban = {
|
|
extraPackages = with pkgs; [ nftables ];
|
|
maxretry = 5;
|
|
bantime = "10m";
|
|
ignoreIP = [
|
|
"100.64.0.0/16" # Tailscale
|
|
];
|
|
|
|
banaction = "nftables-multiport";
|
|
banaction-allports = "nftables-allports";
|
|
|
|
bantime-increment = {
|
|
enable = true;
|
|
multipliers = "2 8 32 128 512 2048";
|
|
maxtime = "2400h"; # 100 days
|
|
overalljails = true; # Calculate the bantime based on all the violations
|
|
};
|
|
};
|
|
};
|
|
}
|