3 files changed, 84 insertions, 47 deletions

diff --git a/sys/net/default.nix b/sys/net/default.nix
index 0341440..608806d 100644
--- a/sys/net/default.nix
+++ b/sys/net/default.nix
@@ -1,49 +1,6 @@
-{ lib, config, pkgs, ... }:
-with lib; let
-  cfg = config.local.net;
-in
 {
-  options.local.net = with lib.types; {
-    enable = mkEnableOption "networking stack";
-
-    hostname = mkOption {
-      type = str;
-    };
-
-    dhcpInterface = mkOption {
-      type = nullOr str;
-      default = null;
-    };
-  };
-
-  config = mkIf cfg.enable {
-    environment.systemPackages = [ pkgs.dhcpcd ];
-
-    networking = {
-      domain = mkDefault config.local.domains.host.main;
-      hostName = cfg.hostname;
-
-      useDHCP = false;
-      enableIPv6 = true;
-      useNetworkd = true;
-      useHostResolvConf = false;
-
-      wireguard.enable = true;
-    };
-
-    systemd.network.networks = mkIf (cfg.dhcpInterface != null) {
-      "40-${cfg.dhcpInterface}" = {
-        matchConfig.Name = cfg.dhcpInterface;
-
-        networkConfig = {
-          DHCP = "ipv4";
-          IPv6AcceptRA = true;
-          IPv6PrivacyExtensions = "kernel";
-        };
-
-        # make routing on this interface a dependency for network-online.target
-        linkConfig.RequiredForOnline = "routable";
-      };
-    };
-  };
+  imports = [
+    ./fail2ban.nix
+    ./interfaces.nix
+  ];
 }
diff --git a/sys/net/fail2ban.nix b/sys/net/fail2ban.nix
new file mode 100644
index 0000000..6dbacd1
--- /dev/null
+++ b/sys/net/fail2ban.nix
@@ -0,0 +1,31 @@
+{ lib, config, pkgs, ... }:
+with lib; let
+  cfg = config.local.net.fail2ban;
+in
+{
+  options.local.net.fail2ban = {
+    enable = mkEnableOption "fal2ban";
+  };
+
+  config = mkIf cfg.enable {
+    services.fail2ban = {
+      enable = true;
+
+      bantime = "10m";
+
+      bantime-increment = {
+        enable = true;
+
+        maxtime = "48h";
+        rndtime = "10m";
+        overalljails = true;
+      };
+
+      #TODO: No quemar
+      ignoreIP = [
+        "10.34.0.0/16"
+        "167.114.128.142"
+      ];
+    };
+  };
+}
diff --git a/sys/net/interfaces.nix b/sys/net/interfaces.nix
new file mode 100644
index 0000000..0341440
--- /dev/null
+++ b/sys/net/interfaces.nix
@@ -0,0 +1,49 @@
+{ lib, config, pkgs, ... }:
+with lib; let
+  cfg = config.local.net;
+in
+{
+  options.local.net = with lib.types; {
+    enable = mkEnableOption "networking stack";
+
+    hostname = mkOption {
+      type = str;
+    };
+
+    dhcpInterface = mkOption {
+      type = nullOr str;
+      default = null;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = [ pkgs.dhcpcd ];
+
+    networking = {
+      domain = mkDefault config.local.domains.host.main;
+      hostName = cfg.hostname;
+
+      useDHCP = false;
+      enableIPv6 = true;
+      useNetworkd = true;
+      useHostResolvConf = false;
+
+      wireguard.enable = true;
+    };
+
+    systemd.network.networks = mkIf (cfg.dhcpInterface != null) {
+      "40-${cfg.dhcpInterface}" = {
+        matchConfig.Name = cfg.dhcpInterface;
+
+        networkConfig = {
+          DHCP = "ipv4";
+          IPv6AcceptRA = true;
+          IPv6PrivacyExtensions = "kernel";
+        };
+
+        # make routing on this interface a dependency for network-online.target
+        linkConfig.RequiredForOnline = "routable";
+      };
+    };
+  };
+}