initial configuration for fail2ban

We need to ensure the firewall is enabled and let's ensure that we open
the port for SSH.

4 files changed, 19 insertions, 1 deletions

diff --git a/machines/nixos/x86_64-linux/do-rproxy/default.nix b/machines/nixos/x86_64-linux/do-rproxy/default.nix
index 949745f..159c4fd 100644
--- a/machines/nixos/x86_64-linux/do-rproxy/default.nix
+++ b/machines/nixos/x86_64-linux/do-rproxy/default.nix
@@ -30,6 +30,7 @@
     "${self}/profiles/nix/gc.nix"
     "${self}/profiles/network/networkd.nix"
     "${self}/profiles/network/firewall.nix"
+    "${self}/profiles/network/fail2ban.nix"
     "${self}/profiles/services/podman.nix"
     "${self}/profiles/programs/fish.nix"
     ./profiles/caddy.nix
diff --git a/profiles/core/ssh.nix b/profiles/core/ssh.nix
index f8c899a..b4c8772 100644
--- a/profiles/core/ssh.nix
+++ b/profiles/core/ssh.nix
@@ -1,5 +1,7 @@
 { lib, ... }:
 {
+  networking.firewall.allowedTCPPorts = [ 22 ];
+
   services.openssh = {
     enable = lib.mkDefault true;
     settings = {
diff --git a/profiles/network/fail2ban.nix b/profiles/network/fail2ban.nix
new file mode 100644
index 0000000..6aa6613
--- /dev/null
+++ b/profiles/network/fail2ban.nix
@@ -0,0 +1,15 @@
+{ ... }:
+{
+  services.fail2ban = {
+    enable = true;
+    ignoreIP = [
+      "10.100.0.0/24" # wireguard
+    ];
+    bantime = "1h";
+    bantime-increment = {
+      enable = true;
+      maxtime = "168h";
+      factor = "4";
+    };
+  };
+}
diff --git a/profiles/network/firewall.nix b/profiles/network/firewall.nix
index 1b30c84..b29dc31 100644
--- a/profiles/network/firewall.nix
+++ b/profiles/network/firewall.nix
@@ -2,7 +2,7 @@
 {
   networking = {
     firewall = {
-      enable = false;
+      enable = true;
       allowPing = true;
       logRefusedConnections = false;
     };