{ config, lib, ... }:

# mostly taken from https://github.com/davidak/nixos-config/blob/master/services/fail2ban.nix
with lib;

mkIf (elem "fail2ban" config.machine.services) {
  services.fail2ban = {
    enable = true;
    jails = { 
      DEFAULT = ''
        bantime  = 3600
        ignoreip = 127.0.0.1
        logpath  = /var/log/auth.log
      '';

      ssh = ''
        enabled = true
        filter = sshd
        maxretry = 4
        action = iptables[name=SSH, port=ssh, protocol=tcp]
      '';
      sshd-ddos = ''
        enabled  = true
        filter = sshd-ddos
        maxretry = 2
        action   = iptables[name=ssh, port=ssh, protocol=tcp]
      '';

      postfix = ''
        enabled  = true
        filter   = postfix
        maxretry = 3
        action   = iptables[name=postfix, port=smtp, protocol=tcp]
      '';
      postfix-sasl = ''
        enabled  = true
        filter   = postfix-sasl
        maxretry = 3
        action   = iptables[name=postfix, port=smtp, protocol=tcp]
      '';
      postfix-ddos = ''
        enabled  = true
        filter   = postfix-ddos
        maxretry = 3
        action   = iptables[name=postfix, port=submission, protocol=tcp]
        bantime  = 7200
      '';

      nginx-req-limit = ''
        enabled = true
        filter = nginx-req-limit
        maxretry = 10
        action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
        findtime = 600
        bantime = 7200
      '';
    };
  }; 

  environment.etc."fail2ban/filter.d/postfix-ddos.conf".text = ''
    [Definition]
    failregex = lost connection after EHLO from \S+\[<HOST>\]
  '';

  environment.etc."fail2ban/filter.d/nginx-req-limit.conf".text = ''
    [Definition]
    failregex = limiting requests, excess:.* by zone.*client: <HOST>
  '';

  # Limit stack size to reduce memory usage
  systemd.services.fail2ban.serviceConfig.LimitSTACK = 256 * 1024;
}