refactor(system/services/fail2ban): Migrate to `by-name`

Additionally, I've changed to owner of the `/var/lib/fail2ban` directory
to `root:root` as the main `fail2ban` service also runs under `root` and a
`fail2ban` user is never created.

1 files changed, 58 insertions, 0 deletions

diff --git a/modules/by-name/fa/fail2ban/module.nix b/modules/by-name/fa/fail2ban/module.nix
new file mode 100644
index 0000000..c619ef9
--- /dev/null
+++ b/modules/by-name/fa/fail2ban/module.nix
@@ -0,0 +1,58 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.vhack.fail2ban;
+in {
+  options.vhack.fail2ban = {
+    enable = lib.mkEnableOption "fail2ban";
+  };
+
+  config = lib.mkIf cfg.enable {
+    vhack.persist.directories = [
+      {
+        directory = "/var/lib/fail2ban";
+        # TODO: Fail2ban should probably run under a dedicated `fail2ban` user. <2024-12-25>
+        user = "root";
+        group = "root";
+        mode = "0700";
+      }
+    ];
+
+    services.fail2ban = {
+      enable = true;
+      maxretry = 7; # ban after 7 failures
+      daemonSettings = {
+        Definition = {
+          logtarget = "SYSLOG";
+          socket = "/run/fail2ban/fail2ban.sock";
+          pidfile = "/run/fail2ban/fail2ban.pid";
+          dbfile = "/var/lib/fail2ban/db.sqlite3";
+        };
+      };
+      bantime-increment = {
+        enable = true;
+        rndtime = "8m";
+        overalljails = true;
+        multipliers = "2 4 16 128 256";
+        maxtime = "72h";
+      };
+      jails = {
+        dovecot = ''
+          # block IPs which failed to log-in
+          # aggressive mode add blocking for aborted connections
+          enabled = true
+          filter = dovecot[mode=aggressive]
+          maxretry = 2
+        '';
+        postfix = ''
+          enabled = true
+          filter = postfix[mode=aggressive]
+          findtime = 600
+          maxretry = 3
+        '';
+      };
+    };
+  };
+}