refactor

profiles/fail2ban.nix

@@ -0,0 +1,40 @@
+{...}: {
+	services.fail2ban = {
+		enable = true;
+		maxretry = 5;
+		bantime = "10m";
+		bantime-increment = {
+			enable = true;
+			multipliers = "1 2 4 8 16 32 64";
+			maxtime = "168h";
+			overalljails = true;
+		};
+		jails = {
+			sshd = {
+				settings = {
+					enabled = true;
+					port = "ssh";
+					filter = "sshd";
+					maxretry = 3;
+				};
+			};
+			gitea = {
+				settings = {
+					enabled = true;
+					filter = "gitea";
+					logpath = "/var/lib/gitea/log/gitea.log";
+					maxretry = 10;
+					findtime = 3600;
+					bantime = 900;
+					action = "iptables-allports";
+				};
+			};
+		};
+	};
+
+	environment.etc."fail2ban/filter.d/gitea.local".text = ''
+		[Definition]
+		failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
+		ignoreregex =
+	'';
+}