infrastructure/modules/dgn-fail2ban/default.nix

91 lines
1.7 KiB
Nix
Raw Normal View History

{
config,
lib,
pkgs,
...
}:
let
inherit (lib)
mkDefault
mkEnableOption
mkIf
mkOption
types
;
cfg = config.dgn-fail2ban;
settingsFormat = pkgs.formats.keyValue { };
configFormat = pkgs.formats.ini { };
jailOptions = {
options = {
enabled = mkOption {
type = types.bool;
default = true;
description = "Wether to enable this jail.";
};
filter = mkOption {
type = types.nullOr (types.submodule { freeformType = configFormat.type; });
description = "Content of the filter used for this jail.";
};
settings = mkOption {
type = types.submodule { freeformType = settingsFormat.type; };
default = { };
description = "Additional configuration for the jail.";
};
};
};
in
{
options.dgn-fail2ban = {
enable = mkEnableOption "fail2ban service.";
jails = mkOption {
type = types.attrsOf (types.submodule jailOptions);
default = { };
description = "Set of jails defined for fail2ban.";
};
};
config = mkIf cfg.enable {
dgn-fail2ban.jails = builtins.mapAttrs (_: j: j // { enabled = mkDefault false; }) (
import ./jails.nix { }
);
services.fail2ban = {
enable = true;
inherit (cfg) jails;
ignoreIP = [
"10.0.0.0/8"
2023-11-28 20:29:25 +01:00
"129.199.0.0/16"
"172.16.0.0/12"
"192.168.0.0/16"
"100.64.0.0/10"
"fd00::/8"
];
bantime-increment = {
enable = true;
maxtime = "48h";
factor = "600";
};
extraPackages = [ pkgs.ipset ];
banaction = "iptables-ipset-proto6-allports";
};
};
}