modules/fail2ban.nix at main · ryan.freumh.org/eilean-nix

Self-host your own digital island

eilean-nix / modules / fail2ban.nix

at main 1.1 kB view raw

 1{ config, pkgs, lib, ... }:
 2
 3with lib;
 4let cfg = config.eilean;
 5in {
 6  options.eilean.fail2ban = {
 7    enable = mkEnableOption "TURN server";
 8    radicale = mkOption {
 9      type = types.bool;
10      default = cfg.radicale.enable;
11    };
12  };
13
14  config = mkIf cfg.fail2ban.enable {
15    services.fail2ban = {
16      enable = true;
17      bantime = "24h";
18      bantime-increment = {
19        enable = true;
20        multipliers = "1 2 4 8 16 32 64";
21        maxtime = "168h";
22        overalljails = true;
23      };
24      jails."radicale".settings = mkIf cfg.fail2ban.radicale {
25        port = "5232";
26        filter = "radicale";
27        banaction = "%(banaction_allports)s[name=radicale]";
28        backend = "systemd";
29        journalmatch = "_SYSTEMD_UNIT=radicale.service";
30        maxRetry = 2;
31        bantime = -1;
32        findtime = 14400;
33      };
34    };
35    environment.etc = {
36      "fail2ban/filter.d/radicale.local".text = mkIf cfg.fail2ban.radicale ''
37        [Definition]
38        failregex = ^.*Failed\slogin\sattempt\sfrom\s.*\(forwarded for \'<HOST>\'.*\):\s.*
39      '';
40    };
41  };
42}