From 477bf5bf9016d7f8c43a2cc693ff47b1ed241e8f Mon Sep 17 00:00:00 2001
From: Grimmauld <soeren@benjos.de>
Date: Fri, 29 Dec 2023 11:47:44 +0000
Subject: [PATCH] add fail2ban, so far only banning ssh connections

---
 fail2ban.nix | 19 +++++++++++++++++++
 flake.nix    |  1 +
 2 files changed, 20 insertions(+)
 create mode 100644 fail2ban.nix

diff --git a/fail2ban.nix b/fail2ban.nix
new file mode 100644
index 0000000..80da631
--- /dev/null
+++ b/fail2ban.nix
@@ -0,0 +1,19 @@
+{ ... }: {
+  services.fail2ban = {
+    enable = true;
+    maxretry = 5;
+    ignoreIP = [
+      # Whitelist some subnets
+      "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16"
+      "matrix.org"
+      "app.element.io" # don't ratelimit matrix users
+    ];
+    bantime = "1h"; # Ban IPs for 1h at first.
+    bantime-increment = {
+      enable = true; # Enable increment of bantime after each violation
+      multipliers = "1 2 4 8 16 32 64 128 256";
+      maxtime = "168h"; # Do not ban for more than 1 week
+      overalljails = true; # Calculate the bantime based on all the violations
+    };
+  };
+}
diff --git a/flake.nix b/flake.nix
index 48edca7..19248f6 100644
--- a/flake.nix
+++ b/flake.nix
@@ -29,6 +29,7 @@
           ./puffer.nix
           ./gitea.nix
           ./letsencrypt.nix
+          ./fail2ban.nix
           ./email.nix
           agenix.nixosModules.default
           nixos-mailserver.nixosModules.default