From 552e62b8ae7f262a9246ba98142606512c018668 Mon Sep 17 00:00:00 2001
From: Franck Cuny <franck@fcuny.net>
Date: Wed, 20 Aug 2025 20:42:27 -0700
Subject: initial configuration for fail2ban

We need to ensure the firewall is enabled and let's ensure that we open
the port for SSH.
---
 profiles/network/fail2ban.nix | 15 +++++++++++++++
 profiles/network/firewall.nix |  2 +-
 2 files changed, 16 insertions(+), 1 deletion(-)
 create mode 100644 profiles/network/fail2ban.nix

(limited to 'profiles/network')

diff --git a/profiles/network/fail2ban.nix b/profiles/network/fail2ban.nix
new file mode 100644
index 0000000..6aa6613
--- /dev/null
+++ b/profiles/network/fail2ban.nix
@@ -0,0 +1,15 @@
+{ ... }:
+{
+  services.fail2ban = {
+    enable = true;
+    ignoreIP = [
+      "10.100.0.0/24" # wireguard
+    ];
+    bantime = "1h";
+    bantime-increment = {
+      enable = true;
+      maxtime = "168h";
+      factor = "4";
+    };
+  };
+}
diff --git a/profiles/network/firewall.nix b/profiles/network/firewall.nix
index 1b30c84..b29dc31 100644
--- a/profiles/network/firewall.nix
+++ b/profiles/network/firewall.nix
@@ -2,7 +2,7 @@
 {
   networking = {
     firewall = {
-      enable = false;
+      enable = true;
       allowPing = true;
       logRefusedConnections = false;
     };
-- 
cgit v1.2.3