From c01a38b3b767715645972646569e0c488e881841 Mon Sep 17 00:00:00 2001 From: iFargle Date: Thu, 6 Jul 2023 12:02:45 +0900 Subject: [PATCH] Testing ownership changes for fail2ban --- configuration.nix | 12 ------------ desktops/common.nix | 5 +++++ services/fail2ban.nix | 17 +++++++++++++++++ services/telegraf.nix | 1 - 4 files changed, 22 insertions(+), 13 deletions(-) diff --git a/configuration.nix b/configuration.nix index 25c58a0e..708ac09d 100644 --- a/configuration.nix +++ b/configuration.nix @@ -10,9 +10,6 @@ # Desktop Environments ./desktops/common.nix ./desktops/gnome.nix - - # Software - ./software/firefox.nix # Services ./services/openssh.nix @@ -53,12 +50,6 @@ enable = true; }; - # Password set via wpa_supplicant command - # https://nixos.org/manual/nixos/unstable/index.html#sec-wireless - wireless.networks = { # Use nix-sops for this - copeland-5g.psk = config.sops.secrets.wireless.copeland-5g.psk.path; - }; - enableIPv6 = false; firewall = { enable = true; @@ -93,9 +84,6 @@ extraGroups = [ "networkmanager" "wheel" ]; }; - # Allow unfree packages - nixpkgs.config.allowUnfree = true; - # Enable flakes: https://nixos.wiki/wiki/Flakes nix.settings.experimental-features = [ "nix-command" "flakes" ]; diff --git a/desktops/common.nix b/desktops/common.nix index 220f6f55..b1340a98 100644 --- a/desktops/common.nix +++ b/desktops/common.nix @@ -11,6 +11,11 @@ ]; }; + imports = [ + # Software configurations + ./software/firefox.nix + ]; + # Enable sound with pipewire. sound.enable = true; hardware.pulseaudio.enable = false; diff --git a/services/fail2ban.nix b/services/fail2ban.nix index 9e657b8a..7e305b05 100644 --- a/services/fail2ban.nix +++ b/services/fail2ban.nix @@ -1,5 +1,22 @@ { config, pkgs, ... }: { services.fail2ban = { enable = true; + maxretry = 5; # Observe 5 violations before banning an IP + ignoreIP = [ + "100.64.0.0/24" # Headscale network + ]; + bantime = "24h"; # Set bantime to one day + bantime-increment = { + enable = true; # Enable increment of bantime after each violation + formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)"; + multipliers = "1 2 4 8 16 32 64"; + maxtime = "168h"; # Do not ban for more than 1 week + overalljails = true; # Calculate the bantime based on all the violations + }; + }; + + # The SystemD Unit file configuration + systemd.services.fail2ban = { + postStart = "chown root:telegraf /var/run/fail2ban/fail2ban.socket" }; } \ No newline at end of file diff --git a/services/telegraf.nix b/services/telegraf.nix index 2e9c100a..c5b475da 100644 --- a/services/telegraf.nix +++ b/services/telegraf.nix @@ -55,7 +55,6 @@ swap = {}; system = {}; fail2ban = {}; - hddtemp = {}; intel_powerstat = {}; net = {}; nvidia_smi = {};