nixos-template-base/base/activation-manuelle/service-fail2ban.nix

{ config, lib, pkgs, ... }:

let
  inherit (lib) mkIf mkMerge mkThenElse;
  cfg = config.r6d.config-generator;
  computers = config.r6d.computers;
  profiles = config.r6d.profiles;

  ignoreip = "pedro.dubronetwork.fr cube.dubronetwork.fr voyage.prunetwork.fr xray.prunetwork.fr 192.168.0.0/16 172.16.0.0/16";
  destemail = "admins@dubronetwork.fr";
in

mkIf cfg.fail2ban {

  # Gestion de fail2ban

  # Paquets
  environment.systemPackages = with pkgs; [
    mailutils
    whois
  ];


  # Services
  services = {
    fail2ban = {
      enable = true;
      jails = {
        DEFAULT = ''
          # "ignoreip" can be an IP address, a CIDR mask or a DNS host
          ignoreip = 127.0.0.1/8 ${ignoreip}

          # 1 jour
          # bantime  = 86400
          # 5 jours 
          bantime  = 432000

          maxretry = 3

          destemail = ${destemail}

          # https://github.com/Baughn/nixpkgs/blob/master/nixos/modules/services/security/fail2ban.nix
          findtime = 600
          maxretry = 3
          backend  = systemd
          enabled  = true
        '';
        ssh-route = ''
          filter   = sshd
          action   = route[blocktype=blackhole]
        '';
        # désactivation car souci de PATH avec les commandes mail ou sendmail. Nécessite un path motifiable
        # ticket à ouvrir
        #ssh-mail = ''
        #  filter   = sshd
        #  action   = sendmail[sendername=Fail2ban @${config.networking.hostName}]
        #'';
      };
    };
  };

  # https://github.com/NixOS/nixpkgs/issues/8437
  services.fail2ban.jails.ssh-iptables = "enabled = true";
}