3 files changed, 46 insertions, 32 deletions

diff --git a/modules/system/access/ssh.nix b/modules/system/access/ssh.nix
index b1fc187..8a2b30d 100644
--- a/modules/system/access/ssh.nix
+++ b/modules/system/access/ssh.nix
@@ -1,26 +1,35 @@
+{ lib, config, ... }:
 {
   programs.ssh.startAgent = false;
 
-  services.openssh = {
-    enable = true;
-    ports = [ 22 ];
-    openFirewall = false;
+  services = {
+    fail2ban.jails.sshd.settings = {
+      enabled = true;
+      filter = "sshd[mode=aggressive]";
+      port = lib.strings.concatStringsSep "," (map toString config.services.openssh.ports);
+    };
+
+    openssh = {
+      enable = true;
+      ports = [ 22 ];
+      openFirewall = false;
 
-    settings = {
-      KexAlgorithms = [
-        "curve25519-sha256"
-        "[email protected]"
-        "diffie-hellman-group16-sha512"
-        "diffie-hellman-group18-sha512"
-        "diffie-hellman-group-exchange-sha256"
-        "[email protected]"
-      ];
+      settings = {
+        KexAlgorithms = [
+          "curve25519-sha256"
+          "[email protected]"
+          "diffie-hellman-group16-sha512"
+          "diffie-hellman-group18-sha512"
+          "diffie-hellman-group-exchange-sha256"
+          "[email protected]"
+        ];
 
-      Macs = [
-        "[email protected]"
-        "[email protected]"
-        "[email protected]"
-      ];
+        Macs = [
+          "[email protected]"
+          "[email protected]"
+          "[email protected]"
+        ];
+      };
     };
   };
 }
diff --git a/modules/system/networking/fail2ban.nix b/modules/system/networking/fail2ban.nix
index fa45565..6311b14 100644
--- a/modules/system/networking/fail2ban.nix
+++ b/modules/system/networking/fail2ban.nix
@@ -1,18 +1,20 @@
-{ lib, config, ... }:
+{ pkgs, lib, ... }:
 {
   services.fail2ban = {
     enable = false;
+    banaction = "nftables-multiport";
+    banaction-allports = lib.mkDefault "nftables-allport";
+
+    extraPackages = with pkgs; [
+      nftables
+      ipset
+    ];
 
     ignoreIP = [
       "10.0.0.0/8"
       "172.16.0.0/12"
+      "100.64.0.0/16"
       "192.168.0.0/16"
     ];
-
-    jails.sshd.settings = {
-      enabled = true;
-      filter = "sshd[mode=aggressive]";
-      port = lib.strings.concatStringsSep "," (map toString config.services.openssh.ports);
-    };
   };
 }
diff --git a/modules/system/networking/firewall.nix b/modules/system/networking/firewall.nix
index 569089c..39c5b03 100644
--- a/modules/system/networking/firewall.nix
+++ b/modules/system/networking/firewall.nix
@@ -1,12 +1,15 @@
+{ lib, ... }:
+let
+  inherit (lib) mkForce;
+in
 {
   networking.firewall = {
     enable = true;
-    allowedUDPPorts = [ 53 ];
-    allowPing = false;
-
-    allowedTCPPorts = [
-      80
-      443
-    ];
+    allowedUDPPorts = mkForce [ ];
+    allowedTCPPorts = mkForce [ ];
+    allowPing = mkForce false;
+    logReversePathDrops = true;
+    logRefusedConnections = false;
+    checkReversePath = mkForce false;
   };
 }