From 1fd85a0978c47359ecf77ece9ccf5f606ec8e120 Mon Sep 17 00:00:00 2001
From: Gabe Venberg <gabevenberg@gmail.com>
Date: Wed, 7 May 2025 16:06:26 +0200
Subject: [PATCH] enabled fail2ban for sshd, will enable for more services
 later.

---
 configs/nixos/fail2ban.nix | 16 ++++++++++++++++
 configs/nixos/sshd.nix     |  3 +++
 2 files changed, 19 insertions(+)
 create mode 100644 configs/nixos/fail2ban.nix

diff --git a/configs/nixos/fail2ban.nix b/configs/nixos/fail2ban.nix
new file mode 100644
index 0000000..da60106
--- /dev/null
+++ b/configs/nixos/fail2ban.nix
@@ -0,0 +1,16 @@
+{
+  config,
+  pkgs,
+  inputs,
+  lib,
+  myLib,
+  ...
+}: {
+  services.fail2ban = {
+    enable = true;
+    bantime-increment.enable = true;
+    bantime-increment.maxtime = "1w";
+    extraPackages = [pkgs.ipset];
+    banaction = "iptables-ipset-proto6-allports";
+  };
+}
diff --git a/configs/nixos/sshd.nix b/configs/nixos/sshd.nix
index e91be82..5dd4c45 100644
--- a/configs/nixos/sshd.nix
+++ b/configs/nixos/sshd.nix
@@ -6,6 +6,9 @@
   myLib,
   ...
 }: {
+  imports = [
+    ./fail2ban.nix
+  ];
   services.openssh = {
     enable = true;
     settings.PermitRootLogin = "prohibit-password";