enable fail2ban instead of sshguard

components/network/default.nix

@@ -11,6 +11,7 @@ with types;
 
   imports = [
     #./avahi.nix
+    ./fail2ban.nix
     ./hosts.nix
     ./nginx.nix
     ./sshd

components/network/fail2ban.nix

@@ -0,0 +1,31 @@
+{ config, lib, pkgs, ... }:
+with lib;
+{
+  options.components.network.fail2ban.enable = mkOption {
+    type = lib.types.bool;
+    default = false;
+  };
+
+  config = mkIf (config.components.network.fail2ban.enable) {
+
+    environment.systemPackages = [ pkgs.fail2ban ];
+
+    services.fail2ban = {
+      enable = true;
+      # https://github.com/fail2ban/fail2ban/blob/master/config/jail.conf
+      jails = {
+        # fixme: can't use, because I changed the nginx log format
+        #nginx-bad-request.settings = {
+        #  port = "http,https";
+        #  logpath = "%(nginx_error_log)s";
+        #};
+        # fixme: can't use, because I changed the nginx log format
+        #nginx-botsearch.settings = {
+        #  port = "http,https";
+        #  logpath = "%(nginx_error_log)s";
+        #};
+      };
+    };
+
+  };
+}

machines/orbi/configuration.nix

@@ -41,6 +41,9 @@
   components.network.nginx.landingpage.enable = false;
   components.network.wifi.enable = false;
 
+  components.network.fail2ban.enable = true; # fixme: not really working at the moment
+  components.network.sshd.sshguard.enable = false;
+
   components.monitor.enable = true;
   networking.firewall.interfaces.wg0.allowedTCPPorts = [ 4317 ];
   networking.firewall.interfaces.wg0.allowedUDPPorts = [ 4317 ];