services/{fail2ban,postgres}: Split up from athame

2026-02-10 04:49:19 -08:00 · 2021-04-27 22:29:16 +01:00 · 2021-04-27 22:29:16 +01:00 · 9b1602ec36
commit 9b1602ec36
parent 8a4e5992bb
2 changed files with 42 additions and 0 deletions
--- a/services/fail2ban.nix
+++ b/services/fail2ban.nix
@ -0,0 +1,37 @@
+{ config, pkgs, ... }:
+
+{
+  services.fail2ban = {
+    enable = true;
+    jails = {
+      DEFAULT = ''
+        bantime  = 1d
+        blocktype = DROP
+        logpath  = /var/log/auth.log
+      '';
+      ssh = ''
+        enabled = true
+        filter = sshd
+        maxretry = 4
+        action = iptables[name=SSH, port=ssh, protocol=tcp]
+      '';
+      sshd-ddos = ''
+        enabled  = true
+        filter = sshd-ddos
+        maxretry = 4
+        action   = iptables[name=ssh, port=ssh, protocol=tcp]
+      '';
+    };
+  };
+
+  environment.etc."fail2ban/filter.d/sshd-ddos.conf" = {
+    enable = true;
+    text = ''
+      [Definition]
+      failregex = sshd(?:\[\d+\])?: Did not receive identification string from <HOST>$
+      ignoreregex =
+    '';
+  };
+
+  systemd.services.fail2ban.serviceConfig.LimitSTACK = 128 * 1024;
+}
--- a/services/postgres.nix
+++ b/services/postgres.nix
@ -0,0 +1,5 @@
+{ config, pkgs, ... }:
+
+{
+  services.postgresql.enable = true;
+}