Testing ownership changes for fail2ban

2023-07-06 12:02:45 +09:00 · 2023-07-06 12:02:45 +09:00 · c01a38b3b7
commit c01a38b3b7
parent 132b48dfb3
4 changed files with 22 additions and 13 deletions
--- a/configuration.nix
+++ b/configuration.nix
@ -10,9 +10,6 @@
      # Desktop Environments
      ./desktops/common.nix
      ./desktops/gnome.nix
-      
-      # Software
-      ./software/firefox.nix

      # Services
      ./services/openssh.nix
@ -53,12 +50,6 @@
      enable = true;
    };

-    # Password set via wpa_supplicant command
-    # https://nixos.org/manual/nixos/unstable/index.html#sec-wireless
-    wireless.networks = { # Use nix-sops for this
-      copeland-5g.psk = config.sops.secrets.wireless.copeland-5g.psk.path;
-    };
-
    enableIPv6 = false;
    firewall = { 
      enable = true;
@ -93,9 +84,6 @@
    extraGroups = [ "networkmanager" "wheel" ];
  };

-  # Allow unfree packages 
-  nixpkgs.config.allowUnfree = true;
-
  # Enable flakes:  https://nixos.wiki/wiki/Flakes
  nix.settings.experimental-features = [ "nix-command" "flakes" ];

--- a/desktops/common.nix
+++ b/desktops/common.nix
@ -11,6 +11,11 @@
    ];
  };

+  imports = [ 
+    # Software configurations
+    ./software/firefox.nix
+   ];
+
  # Enable sound with pipewire.
  sound.enable = true;
  hardware.pulseaudio.enable = false;
--- a/services/fail2ban.nix
+++ b/services/fail2ban.nix
@ -1,5 +1,22 @@
 { config, pkgs, ... }: {
  services.fail2ban = {
    enable = true;
+    maxretry = 5; # Observe 5 violations before banning an IP
+    ignoreIP = [
+      "100.64.0.0/24" # Headscale network
+    ];
+    bantime = "24h"; # Set bantime to one day
+    bantime-increment = {
+      enable = true; # Enable increment of bantime after each violation
+      formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
+      multipliers = "1 2 4 8 16 32 64";
+      maxtime = "168h"; # Do not ban for more than 1 week
+      overalljails = true; # Calculate the bantime based on all the violations
+    };
+  };
+
+  # The SystemD Unit file configuration
+  systemd.services.fail2ban = {
+    postStart = "chown root:telegraf /var/run/fail2ban/fail2ban.socket"
  };
 }
--- a/services/telegraf.nix
+++ b/services/telegraf.nix
@ -55,7 +55,6 @@
        swap = {};
        system = {};
        fail2ban = {};
-        hddtemp = {};
        intel_powerstat = {};
        net = {};
        nvidia_smi = {};