Fresh repo without sensitive data.

services/fail2ban.nix

@@ -0,0 +1,69 @@
+{ config, lib, pkgs, ... }:
+
+# mostly taken from https://github.com/davidak/nixos-config/blob/master/services/fail2ban.nix
+{
+  services.fail2ban = {
+    enable = true;
+    jails = { 
+      DEFAULT = ''
+        bantime  = 3600
+        logpath  = /var/log/auth.log
+      '';
+
+      ssh = ''
+        enabled = true
+        filter = sshd
+        maxretry = 4
+        action = iptables[name=SSH, port=ssh, protocol=tcp]
+      '';
+      sshd-ddos = ''
+        enabled  = true
+        filter = sshd-ddos
+        maxretry = 2
+        action   = iptables[name=ssh, port=ssh, protocol=tcp]
+      '';
+
+      postfix = ''
+        enabled  = true
+        filter   = postfix
+        maxretry = 3
+        action   = iptables[name=postfix, port=smtp, protocol=tcp]
+      '';
+      postfix-sasl = ''
+        enabled  = true
+        filter   = postfix-sasl
+        maxretry = 3
+        action   = iptables[name=postfix, port=smtp, protocol=tcp]
+      '';
+      postfix-ddos = ''
+        enabled  = true
+        filter   = postfix-ddos
+        maxretry = 3
+        action   = iptables[name=postfix, port=submission, protocol=tcp]
+        bantime  = 7200
+      '';
+
+      nginx-req-limit = ''
+        enabled = true
+        filter = nginx-req-limit
+        maxretry = 10
+        action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
+        findtime = 600
+        bantime = 7200
+      ''
+    };
+  }; 
+
+  environment.etc."fail2ban/filter.d/postfix-ddos.conf".text = ''
+    [Definition]
+    failregex = lost connection after EHLO from \S+\[<HOST>\]
+  '';
+
+  environment.etc."fail2ban/filter.d/nginx-req-limit.conf".text = ''
+    [Definition]
+    failregex = limiting requests, excess:.* by zone.*client: <HOST>
+  '';
+
+  # Limit stack size to reduce memory usage
+  systemd.services.fail2ban.serviceConfig.LimitSTACK = 256 * 1024;
+}