Testing ownership changes for fail2ban
This commit is contained in:
parent
132b48dfb3
commit
c01a38b3b7
4 changed files with 22 additions and 13 deletions
|
|
@ -10,9 +10,6 @@
|
||||||
# Desktop Environments
|
# Desktop Environments
|
||||||
./desktops/common.nix
|
./desktops/common.nix
|
||||||
./desktops/gnome.nix
|
./desktops/gnome.nix
|
||||||
|
|
||||||
# Software
|
|
||||||
./software/firefox.nix
|
|
||||||
|
|
||||||
# Services
|
# Services
|
||||||
./services/openssh.nix
|
./services/openssh.nix
|
||||||
|
|
@ -53,12 +50,6 @@
|
||||||
enable = true;
|
enable = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
# Password set via wpa_supplicant command
|
|
||||||
# https://nixos.org/manual/nixos/unstable/index.html#sec-wireless
|
|
||||||
wireless.networks = { # Use nix-sops for this
|
|
||||||
copeland-5g.psk = config.sops.secrets.wireless.copeland-5g.psk.path;
|
|
||||||
};
|
|
||||||
|
|
||||||
enableIPv6 = false;
|
enableIPv6 = false;
|
||||||
firewall = {
|
firewall = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
@ -93,9 +84,6 @@
|
||||||
extraGroups = [ "networkmanager" "wheel" ];
|
extraGroups = [ "networkmanager" "wheel" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
# Allow unfree packages
|
|
||||||
nixpkgs.config.allowUnfree = true;
|
|
||||||
|
|
||||||
# Enable flakes: https://nixos.wiki/wiki/Flakes
|
# Enable flakes: https://nixos.wiki/wiki/Flakes
|
||||||
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
nix.settings.experimental-features = [ "nix-command" "flakes" ];
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -11,6 +11,11 @@
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
imports = [
|
||||||
|
# Software configurations
|
||||||
|
./software/firefox.nix
|
||||||
|
];
|
||||||
|
|
||||||
# Enable sound with pipewire.
|
# Enable sound with pipewire.
|
||||||
sound.enable = true;
|
sound.enable = true;
|
||||||
hardware.pulseaudio.enable = false;
|
hardware.pulseaudio.enable = false;
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,22 @@
|
||||||
{ config, pkgs, ... }: {
|
{ config, pkgs, ... }: {
|
||||||
services.fail2ban = {
|
services.fail2ban = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
maxretry = 5; # Observe 5 violations before banning an IP
|
||||||
|
ignoreIP = [
|
||||||
|
"100.64.0.0/24" # Headscale network
|
||||||
|
];
|
||||||
|
bantime = "24h"; # Set bantime to one day
|
||||||
|
bantime-increment = {
|
||||||
|
enable = true; # Enable increment of bantime after each violation
|
||||||
|
formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
|
||||||
|
multipliers = "1 2 4 8 16 32 64";
|
||||||
|
maxtime = "168h"; # Do not ban for more than 1 week
|
||||||
|
overalljails = true; # Calculate the bantime based on all the violations
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# The SystemD Unit file configuration
|
||||||
|
systemd.services.fail2ban = {
|
||||||
|
postStart = "chown root:telegraf /var/run/fail2ban/fail2ban.socket"
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
@ -55,7 +55,6 @@
|
||||||
swap = {};
|
swap = {};
|
||||||
system = {};
|
system = {};
|
||||||
fail2ban = {};
|
fail2ban = {};
|
||||||
hddtemp = {};
|
|
||||||
intel_powerstat = {};
|
intel_powerstat = {};
|
||||||
net = {};
|
net = {};
|
||||||
nvidia_smi = {};
|
nvidia_smi = {};
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue