From 88b6b6e2ab89de0e0f2a26199647de3a7fc31975 Mon Sep 17 00:00:00 2001
From: Dmitriy Kholkin <ataraxiadev@ataraxiadev.com>
Date: Fri, 7 Mar 2025 13:03:00 +0300
Subject: [PATCH] add fail2ban to nixos-vps

---
 machines/NixOS-FI-VPS/default.nix | 26 ++++++++++++++++++++++++--
 1 file changed, 24 insertions(+), 2 deletions(-)

diff --git a/machines/NixOS-FI-VPS/default.nix b/machines/NixOS-FI-VPS/default.nix
index d2dc83c..0c21c1d 100644
--- a/machines/NixOS-FI-VPS/default.nix
+++ b/machines/NixOS-FI-VPS/default.nix
@@ -180,15 +180,37 @@
   };
   systemd.coredump.enable = false;
 
-  # Users
   services.openssh = {
     enable = true;
+    settings.LogLevel = "VERBOSE";
     settings.PasswordAuthentication = false;
     settings.PermitRootLogin = lib.mkForce "prohibit-password";
     settings.X11Forwarding = false;
     extraConfig = "StreamLocalBindUnlink yes";
-    ports = [ 22 ];
+    ports = [ 32323 ];
   };
+  services.fail2ban = {
+    enable = true;
+    maxretry = 3;
+    bantime = "2h";
+    bantime-increment = {
+      enable = true;
+      maxtime = "72h";
+      overalljails = true;
+    };
+    ignoreIP = [
+      "10.0.0.0/8"
+      "172.16.0.0/12"
+      "192.168.0.0/16"
+    ];
+    jails = {
+      sshd.settings = {
+        backend = "systemd";
+        mode = "aggressive";
+      };
+    };
+  };
+  # Users
   users.mutableUsers = false;
   users.users = {
     ${config.mainuser} = {